Full Disclosure mailing list archives
Re: Skype Debian package: allows complete machine takeover for Microsoft
From: coderaptor <coderaptor () gmail com>
Date: Fri, 12 Oct 2018 12:24:37 -0700
While I do agree with the decision of trust resting on the sysadmin's shoulder, I disagree with trusting Microsoft just because they have contributed to the kernel and have been supportive of open source. The trust decisions have to be based on technical merit than societal standing. For me, I disallow both Google and Microsoft to insert their repo.. Thanks. -coderaptor On Fri, Oct 5, 2018 at 10:18 AM Michael Lazin <microlaser () gmail com> wrote:
While things like this have appeared in the news, http://www.securitynewspaper.com/2018/07/14/malicious-software-packages-at-linux-repositories/, I don't think this deserves a critical rating. Are you going to give Chrome for linux a critical rating because it installs the google repository? As a system administrator you have to make a decision about how much you trust Google and Microsoft, Microsoft has contributed to the Linux kernel and has been supportive of open source of late. On Tue, Oct 2, 2018 at 11:10 AM Seth Arnold <seth.arnold () canonical com> wrote:On Tue, Sep 25, 2018 at 07:04:18PM +0200, Enrico Weigelt, metux IT consult wrote:Operator's workaround: [..] c) use apt pinning to restrict the Microsoft repo to only the package 'skypeforlinux'Please note that the Debian package pre/post inst/rm scripts run with full root privileges without any constraints on what they can do. If your threat model includes either a disclosure of Microsoft's APT repository signing key or malicious use of this key by Microsoft then this workaround does not address these threats. Thanks _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/-- Michael Lazin to gar auto estin noein te kai ennai _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Skype Debian package: allows complete machine takeover for Microsoft Seth Arnold (Oct 02)
- Re: Skype Debian package: allows complete machine takeover for Microsoft Michael Lazin (Oct 05)
- Re: Skype Debian package: allows complete machine takeover for Microsoft coderaptor (Oct 16)
- Re: Skype Debian package: allows complete machine takeover for Microsoft Michael Lazin (Oct 05)