An anonymous reader writes: OK. So well all know that Linux security is the greatest thing since openBSD. But in light of the growing popularity of VOTD package managers and 3rd party repositories, I wonder just how secure My Favorite Distribution is, if at all. Obviously there must be some degree of trust when using any software, even open source software. The fact is that millions of Linux users are just that, users. Not QA/security analysts, not developers, not even open source zealots, just users of good free software. But think about it.
Let's say we trust the kernel. (Duh!) Check.
Let's say we all trust upstream. High integrity developers with a small following of code inspectors. Secure enough servers. And md5sums for all. Check.
Let's say we trust the distribution engineering team. Canonical check. Novell (cough) check. Gentusers check. (just picking on a few.) But this of course, is limited to each distros blessed package sets and promised security upgrades.
And everyone knows that eventually a 3rd party repository becomes necessary (bear with me).
Is universe, multiverse, restricted safe? (debuntu crowd boos!) The docs say no security or real QA is performed on these.
Is packman, guru, etc safe? (flaming darts from chameleon lovers!) Some admins have actually said "there is *no* QA, just trust us... we package upstream as fast as we can."
Is portage safe? So pure. So devoid of real QA. I DARE you tweak your USE flags and not run into compatibility issues. How can security be any better? (Knock on my door... I'm getting nervous!)
Is rpm-repo-of-the-day safe? My CentOS is going down son! (Is that... Richard?)
No. Nothing is 100% safe. But it just seems like there is nothing stopping some serious harm to the community.
Oh yeah... one-click software install almost killed me! (Sorry opensuse... we were friends until that insecure mess started).
Please do not say... well if you are concerned just read the source. That is not practical. Any real software engineers can attest to this.
What about SELinux and Apparmor. When developers start releasing apparmor configs for their apps, I will feel better. And SE is, well, intense.
So. Why do you trust your distro + repos?