[CoLoCo] Possibly Stupid Ubuntu Question
Ringo
2600denver at gmail.com
Sat Dec 5 22:37:53 GMT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Ubunteros,
I have a quick question. I have the main Ubuntu repositories enabled as
well as some third party ones for other software I have. All of them use
pgp signatures to verify the downloads.
When Ubuntu looks for upgrades, one could theoretically put a backdoored
version of an upgrade (with a higher than possible version number) in
one of these third party repositories (or the community repos). If I
originally installed software from the official Ubuntu repos, is it
possible that apt would upgrade from a non-official one? If so, how
could I stop this and/or is there a way to see in synaptic/other
programs where the upgrades are coming from?
Thanks,
Ringo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksa4MEACgkQETpif9i/srr8VACeOp9MerMJ01EBbiBysBK1dCaz
qXIAnRq1qb0rxZLGRIOxDj1MSlhc20L/
=MvEa
-----END PGP SIGNATURE-----
More information about the Ubuntu-us-co
mailing list