A quick note on security

I saw this on Digg’s upcoming stories today: Totally complete sources.list for Ubuntu Feisty Fawn, and felt a chill of terror. Visions of masses of users new to Ubuntu (and Linux in general), downloading this sources.list and using it, watching their computers melt, and blaming Linux overwhelmed my poor little brain.

I’ll say the same thing here that I said there:

It can’t be said enough: don’t simply use someone elses sources.list without verifying every entry in it. Your sources.list file should only be updated by one person: you (or your sysadmin), and only when you know what you are installing.

An entry in your sources.list is the equivalent of a list of trusted developers. It is a list of people who can and do program computer software to make it behave in a way that they want. Combined with most installations being done as a superuser, a sources.list file is essentially a list of (for lack of a better word) hackers that you trust to let use your machine for whatever reasons they deem necessary. If you (or canonical) didn’t put the entries there, how do you know whether or not you can trust them? Answer: you can’t.

So do not, repeat DO NOT use someone else’s sources.list without manually verifying every entry in it.

This entry was posted on May 7, 2007, 5:12 pm and is filed under Resources and Tutorials. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

Design Pitstop

Design. One Step at a Time.