get the lead out of repos
in [Suse]
|
Prev: get the lead out of repos
Next: Taskbar
From: DenverD on 23 Mar 2010 08:14 houghi wrote: > is his nationality? Finnish. but, he lives in Portland Oregon, which is a cool city (for the USA) so i'm gonna trust him to personally check all the opensuse and kernel repos! ;-) -- DenverD (Linux Counter 282315) via Thunderbird 2.0.0.23 (20090817), KDE 3.5.7 "release 72-11", openSUSE Linux 10.3, 2.6.22.19-0.4-default #1 SMP i686 athlon
From: Vahis on 23 Mar 2010 11:05 On 2010-03-23, houghi <houghi(a)houghi.org.invalid> wrote: > David Bolt wrote: >> How well can you trust _any_ mirror? Kernel.org is listed as one of the >> mirrors for openSUSE, and so Novell believes they are trustworthy. > > As Novell is a frontend for Microsoft (or so I am lead to believe) how > far can you trust Novell? And as Novell contributes to the kernel, how > much can you trust Linux? As Linux is not trusworthy clearly, we must > look at the person who made something as untrusworthy as Linux. And what > is his nationality? Finnish. As they are now proven to be not to be > trusted, it is clear that they did not actually win the Eurosongvision. > > http://www.youtube.com/watch?v=GL_NuztoYSE > > Those are the people you do not want to annoy. LOL. I just happened to start a Finnish piece of software, PuTTY, on a Finnish mobile phone, Nokia. I connected to my Linux box, installed from a Finnish repo and saw your post. I wouldn't recommend doing this outside of Finland. Luckily the car I'm in is German :) Vahis -- http://waxborg.servepics.com openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default 17:00pm up 22:22, 17 users, load average: 0.07, 0.29, 0.24
From: Rajko M. on 28 Mar 2010 17:44
David Bolt wrote: > On Tuesday 23 Mar 2010 08:38, while playing with a tin of spray paint, > Darklight painted this mural: > >> how well can you trust those mirrors > > How well can you trust _any_ mirror? Kernel.org is listed as one of the > mirrors for openSUSE, and so Novell believes they are trustworthy. Nothing to do with Novell, nor openSUSE. It is relative easy to become openSUSE mirror, but the magic that provides trust is not in a package management alone. It is package management in combination with http://download.opensuse.org ie. http://mirrorbrain.org/ that is serving repository metadata from single source and managing redirects. As long as you don't use script in a first post that will force package management software to pick repository meta information from mirror, but leave http://download.opensuse.org as source of that information, you can trust any mirror as much as you trust openSUSE, provided that you don't ignore warnings about wrong checksums, signatures etc. As soon as you use mirror as source of repository meta information you better use trusted mirror. Mirror operator has power to replace meta information and install on your computer anything using the same package management that is trustworthy when used in combination with http://download.opensuse.org . [1] http://www.cs.arizona.edu/stork/packagemanagersecurity/ The claim that all are vulnerable is not really correct, which can be seen in "Other Attacks": http://www.cs.arizona.edu/stork/packagemanagersecurity/otherattacks.html If you want to be safe use YaST :) -- Regards Rajko, |