Automatix?

Reinhard Tartler siretart at tauware.de
Tue Mar 28 07:27:00 UTC 2006


'Forum Post wrote:

> I repeat there is no security concern in automatix currently. 

don't make me laugh. There are SEVERE security concerns currently. 
See my earlier post for details.

> It merely automates installation of packages like java, w32codecs with
> the the echo yes command because there are no GPG keys available from
> the repositories which they are downloaded and installed from. This is
> not definitely not a security concern because it does not pull any
> additional packages with itself which might prove to be a potential
> risk.

It does not give any debugging aid in case of problems, and it does not
check the integrity of the added keys, which are fetched from some
random public keyserver, to which anybody could upload any key.

> All dependencies are taken care of when the echo command is used.

there are no consistency checks before calling apt. If the repository
gets broken (something which automatix doesn't check), the user is left
in the cold.

> Hence, there ARE NO SECURITY CONCERNS with automatix. 
I gave you some. I'm awaiting your answer.

Greetings,
	Reinhard








More information about the ubuntu-users mailing list