[packagekit] 1-click; Third party vendors; etc.

Patryk Zawadzki patrys at pld-linux.org
Mon Jun 2 05:44:25 PDT 2008

On Mon, Jun 2, 2008 at 2:12 PM, Benji Weber <benji at opensuse.org> wrote:
> b) It is not the easiest attack vector.
> If you wanted to do something malicious to a users' machine, why would
> you utilise a process that requires the user to trust your identity
> and be presented with warnings telling them that it is potentially a
> bad idea? It is considerably easier to get users to execute arbitrary
> binaries.

It will be the easiest attack vector as soon as users learn to just
blindly click any 1-click-install button they can find. "Sure it has
to be secure, it even gives some messages about security. Just click

The other problem: imagine a third party repo being compromised. What
can you do? How will you know? You probably read all the news related
to your distro but do you follow all the FLOSS project pages? How can
you detect and undo `rpm --import /tmp/hax0red.key` done in a
legitimate looking rpm's %post?

Plus I still don't get why it's ultimately better to get upstream
packaging software for any distro. Not that any project has developers
running all the available Linux flavors in all (un-)stable versions.
The end result is foobuntu (no pun intended, insert any non-mainstream
distro here) developers ignore a 0-day SCE as they do not ship said
package while their users feel safe (no foobuntu SCE this month)
running exploitable software.

Patryk Zawadzki
PLD Linux Distribution

More information about the PackageKit mailing list