security of the universe repository
Chandra Amarasingham
camarasingham at yahoo.com
Thu Dec 20 02:58:48 UTC 2012
Thanks Amichai,
I had browse through that link as well as searched around the internet
again...I found this link
http://ubuntuforums.org/archive/index.php/t-1199641.html
The last sentence seems to imply that the Main repository does get more
attention (perhaps significantly more) attention from ubuntu. I would
like to see an anti-virus (anti-malware, I don't know these terms well)
program included in Main, that way there is some protection from other
sources....I would think that it makes sense for Anti-virus to be part
of the "base" system.
Chandra
On 12/19/2012 09:54 PM, Amichai Rotman wrote:
> Although it's a bit old, it is still relevant:
>
> https://help.ubuntu.com/10.04/add-applications/C/index.html
>
> Does this answer your questions?
>
>
> Amichai Rotman
> Penguin - FLOSS Computer Service and Technical Consulting
> +972-73-7962360 || +972-54-4605787
>
>
>
> On Wed, Dec 19, 2012 at 2:35 AM, Chandra Amarasingham
> <camarasingham at yahoo.com <mailto:camarasingham at yahoo.com>> wrote:
>
> Thanks Tom and Amichai.
>
> I had assumed that the packages in Main go through a more
> stringent auditing process before inclusion thus perhaps being
> more secure. If it's just support and update I guess one is as
> secure as the other at least when initially delivered.
>
> I have a vague recollection that malicious code have entered open
> source projects and subsequently have to be cleaned even perhaps
> in the source code. I guess this is unavoidable (as risk in life
> is unavoidable) but was wondering what "best practice" in the open
> source world would look like regarding installation of software
> (ie. minimizing the risk, not only to protect one's self but one's
> customers, etc, who derive work from one's system) especially from
> community maintained sources.
>
> If some malicious code is found to have entered an ubuntu system,
> would there be an audit trail which would enable efficient
> investigation of where and when it may have entered? and who would
> know more about it? I understand that community maintained
> packages are signed, etc.
>
> I am little vague on how the whole open source process
> works....debian to ubuntu, source to binaries, etc....., and have
> thought that if there was a registered company behind a repository
> it may have higher credibility.
>
> Are there things you can do to monitor when executables on your
> system get changed, eg. run a hash on all executables
> regularly..., etc...(probably would take a long time)?
>
> These are some of my thoughts...
> Chandra
>
>
>
> On 12/19/2012 01:01 AM, Amichai Rotman wrote:
>> I think the OP is referring to the fact the Universe / Multiverse
>> repositories are not supported directly by Canonical, but by the
>> community. So the OP, being a long time Windows user, I guess,
>> assumes it is potentially open to malicious code...
>>
>> Chandra: No need to worry!
>>
>> Although Linux viruses exist, they pose very little threat to
>> your Ubuntu. On the other hand, if you use the same computer with
>> Windows, and download files from the Internet, make sure to scan
>> them regularly with an updated Anti Virus. You can safely install
>> ClamAV + ClamTk (it's graphical front-end) and use it to scan
>> your Windows partition from within Ubuntu.
>>
>> The fact that the Universe / Multiverse repositories are not
>> supported by Canonical just means you have to seek the
>> community's help and support for the applications you installed
>> from them, and not contact Canonical.
>>
>> I hope I was helpful and didn't confused you even further ;-)
>>
>>
>> Amichai Rotman
>> Penguin - FLOSS Computer Service and Technical Consulting
>> +972-73-7962360 <tel:%2B972-73-7962360> || +972-54-4605787
>> <tel:%2B972-54-4605787>
>>
>>
>>
>> On Tue, Dec 18, 2012 <tel:2012> at 2:45 PM, Tom H
>> <tomh0665 at gmail.com <mailto:tomh0665 at gmail.com>> wrote:
>>
>> On Tue, Dec 18, 2012 <tel:2012> at 12:57 AM, Chandra Amarasingham
>> <camarasingham at yahoo.com <mailto:camarasingham at yahoo.com>> wrote:
>> >
>> > I am wondering if there is an "official" word on the
>> security of the
>> > universe repository compared to the Main repository. By
>> security I mean free
>> > from malicious code.
>> >
>> > I don't think there are anti-virus programs in the Main
>> repository, but I
>> > think clam anti-virus is in the universe repository.....but
>> that means I am
>> > not able to be confident that the clam anti-virus itself
>> does have malicious
>> > aspects (eg. from other sources...).
>> >
>> > I thought it would be nice to have some scanning software
>> in the main
>> > repository which can be used to scan software from other
>> repositories which
>> > don't enjoy the same level of confidence.
>>
>> Why would the universe/multiverse repositories be insecure?
>> They're
>> packages rebuilt from Debian just like those in main/restricted.
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> <mailto:ubuntu-users at lists.ubuntu.com>
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>>
>>
>>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com <mailto:ubuntu-users at lists.ubuntu.com>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20121220/6ec875ff/attachment.html>
More information about the ubuntu-users
mailing list