-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/7/10 18:53 , Darrin Chandler wrote:
On Tue, Dec 07, 2010 at 11:04:04PM +0100, Ketil Malde wrote:
It's not obvious to me that adding a mirror makes the infrastructure more more insecure. Any particular concerns? (I hope I qualify as naïve here :-)
If you run a mirror people will come to you for software to run on their machines. I see a way to take advantage of that immediately.
Exactly. And this isn't theoretical; fake packages and packages with extra payloads injected into them are fairly common. - -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/AMYACgkQIn7hlCsL25WCuwCgyuhbb6Q1eMbatUX5mxDp6Avi dDoAnj49sj73cDTVp0+8BXxi6oir3zAq =x2Gr -----END PGP SIGNATURE-----