Software updater snuck in a package that is unwanted
Ralf Mardorf
silver.bullet at zoho.com
Sat Oct 21 17:12:30 UTC 2017
On Sat, 21 Oct 2017 16:37:10 +0200, Oliver Grawert wrote:
>hi,
>Am Samstag, den 21.10.2017, 18:38 +0800 schrieb Bret Busby:
>> On 21/10/2017, Ralf Mardorf <silver.bullet at zoho.com> wrote:
>...
>> >
>> I assume that you are not subscribed to the CERT advisories, as you
>> appear to be unaware of the nature of the content of the CERT
>> advisories.
>>
>
>luckily ralf uses a distribution where there is a paid a team of
>developers to do this for him, grab the provided security fixes, patch
>the packages and make sure they are sent out to the users via the
>built-in update mechanism the distro has installed and set-up by
>default ;)
Actually I'm using several Linux distros and apart from the fact that
all of them have got security teams, I'm subscribed to many Linux
related and FreeBSD related mailing lists. I'm not subscribed to
security mailing lists, but if something absolutely extraordinary
happens, such as the Heartbleed security bug, this becomes a topic on
several mailing lists. Btw. there is also software available that
audits security pages and checks packages from official repos and
sometimes perhaps even third party packages against common
vulnerabilities. It's easier to do this for packages from official
repositories, if the distro should provide a security related general
chart, as at least Ubuntu and Arch Linux do. Such software makes more
sense for a distro aimed for power users, so users could decide to
downgrade, upgrade from a testing repository or to do any other
appropriate action.
Btw. I often ignore security information. An example:
[rocketmouse at archlinux ~]$ echo $(arch-audit -f "%n | " | sort) | sed s/.$//
binutils | cairo | exiv2 | faad2 | ffmpeg2.8 | go | jasper | lame | libffi | libvorbis | libzip | linux | openjpeg2 | pcre | zziplib
[rocketmouse at archlinux ~]$ arch-audit --upgradable --quiet
linux>=4.14.1-1
[rocketmouse at archlinux ~]$ uname -r
4.13.7-rt1-1-rt
I could build a longterm ( https://www.kernel.org/ ) kernel with the
real-time patch, but I would like to use or at least to test, the
"latest and greatest" ;). The linux-rt package is a self build package,
neither official Ubuntu nor official Arch repositories provide it.
OTOH usually I'm using linux-rt for audio productions, with no Internet
involved at all and I've got backups on external discs of all my Linux
installs and all data.
I don't care much about the hype in the German news, such as the latest
WPA issue, not only because most connections I'm using are cable
links. I keep my software, including Internet software up-to-date.
Note, Ubuntu doesn't fix all issues from official repositories, even not
all high security risk issues.
https://packages.ubuntu.com/xenial/claws-mail-fancy-plugin is from
_universe_, anyway, webkit is very risky and from _universe_, too, OTOH
a lot of linux users are still using the old webkit without ever
experiencing an issue.
"Ubuntu provides four different official software repositories:
Main
Restricted
Universe
Multiverse
Main – Officially Supported, Open-Source Software:
Licence: Open Source
Updates: Canonical provides critical updates.
Restricted – Officially Supported, Closed-Source Software:
Licence: Proprietary
Updates: Canonical provides critical updates supplied by the developers.
Universe – Community-Maintained, Open-Source Software:
Licence: Open source
Updates: Canonical does not provide update.
Some updates may be provided by the Ubuntu community.
Multiverse – Unsupported, Closed-Source and Patent-Encumbered Software:
Licence: Unknown
Updates: Canonical does not provide updates.
Some updates may be provided by Ubuntu community." -
https://askubuntu.com/questions/58364/whats-the-difference-between-multiverse-universe-restricted-and-main
More information about the ubuntu-users
mailing list