1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initia

    From Michael =?utf-8?B?S2rDtnJsaW5n?=@21:1/5 to All on Fri Oct 11 09:40:01 2024
    On 10 Oct 2024 19:53 +0100, from brad@fineby.me.uk (Brad Rogers):
    Though I would adjust that apt pinning configuration slightly to favor
    only firefox and maybe thunderbird packages from their repository,

    AFAICT, the repo you cited has firefox(1) only.

    That sounds like an even better argument for not pinning _everything_
    coming from that repository at priority 1000.

    --
    Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From tomas@tuxteam.de@21:1/5 to debian-user@howorth.org.uk on Fri Oct 11 14:00:01 2024
    On Fri, Oct 11, 2024 at 11:56:12AM +0100, debian-user@howorth.org.uk wrote:
    Brad Rogers <brad@fineby.me.uk> wrote:
    On Fri, 11 Oct 2024 07:37:03 +0000
    Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

    Hello Michael,

    That sounds like an even better argument for not pinning _everything_ >coming from that repository at priority 1000.

    Maybe, but;

    As an experiment, I added the mozilla repo and updated. Everything
    from their repos was listed as 'new'. Nothing was marked to be
    upgraded. By extension, I would expect stable to behave in the same manner.

    I think the point is not about what actually happens now, but what
    might happen in future if some evil actor gets access to mozilla's
    repository and injects some malware into it.

    And thus the degree of trust that ought to be given to the repository
    and the degree of trust that it ought to ask for out of the box.

    Thing is, these days libc is not my most valuable asset.
    See xkcd 1200 [1].

    Cheers
    [1] https://xkcd.com/1200/


    -----BEGIN PGP SIGNATURE-----

    iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZwkQ2AAKCRAFyCz1etHa RlbRAJwPv5RroBDF/m7KrsAFXRezCFUEbwCdEQvV0R8EV3wP81tPGY1vU6FflVQ=
    =VWmd
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From debian-user@howorth.org.uk@21:1/5 to Brad Rogers on Fri Oct 11 13:20:01 2024
    Brad Rogers <brad@fineby.me.uk> wrote:
    On Fri, 11 Oct 2024 07:37:03 +0000
    Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

    Hello Michael,

    That sounds like an even better argument for not pinning _everything_ >coming from that repository at priority 1000.

    Maybe, but;

    As an experiment, I added the mozilla repo and updated. Everything
    from their repos was listed as 'new'. Nothing was marked to be
    upgraded. By extension, I would expect stable to behave in the same
    manner.

    I think the point is not about what actually happens now, but what
    might happen in future if some evil actor gets access to mozilla's
    repository and injects some malware into it.

    And thus the degree of trust that ought to be given to the repository
    and the degree of trust that it ought to ask for out of the box.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Florent Rougon@21:1/5 to All on Fri Oct 11 17:50:01 2024
    Hi,

    Le 11/10/2024, Brad Rogers <brad@fineby.me.uk> a écrit:

    ....if some evil actor gets access to mozilla's
    repository and injects some malware into it.

    A point I missed. Clearly.

    Thanks for highlighting.

    This is not very convincing. If an evil actor were in a position to do
    that, they would probably sneak the malware in firefox itself rather
    than in an unrelated package. Way more discrete.

    Regards

    --
    Florent

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)