Linux security

Daniel Carrera daniel.carrera at
Sat Apr 29 11:07:54 UTC 2006

Toby Kelsey wrote:
> Currently it's important, but if Ubuntu becomes a base for 3rd-party software,
> this distinction will erode.  If there was a mechanism for 3rd-party software to
> get a Ubuntu "stamp of approval" (checked for during the install) which means it
> has been audited for sensible behaviour that would help, but this would have to
> be paid for and there would need to be a trustworthy auditing group.

There is already a certification for third-party software in Ubuntu. 
It's paid for, like you said. This system could be extended to add a GPG 
signature to the package or some such. Aren't .deb packages already 
signed in some way?

>>Perhaps. Though the user might wonder why Firefox is suddenly asking him
>>for a password. (this is an example of an attack made more difficult by
>>Ubuntu's design).
> Actually I was thinking more of modifying the menu item for Synaptic to start a
> trojan wrapper program.  How often do you check what your Synaptic menu item
> actually runs?

Ok. Good point.

On the other hand, how often do you run Synaptic? Yes, you'll get 
infected eventually, but hear me out. The fact that you use Synaptic 
infrequently means that the speed at which the virus spreads will be 
very slow. For a virus to be "successful" on a large scale, it needs to 
replicate faster than it can get stamped out. Reducing the replication 
rate makes Linux less hospitable to viruses.

    /\/_/   ...and starting today, all passwords must contain
    \/_/    letters, numbers, doodles, sign language and
    /       squirrel noises.

More information about the ubuntu-users mailing list