undefined | Better HN

0 pointsXCabbage2d ago0 comments

Sorry, I don't get it. What's the chain of reasoning that connects "there are a couple of new Linux local privilege escalation exploits" to "don't install any new software"? Is the threat we're supposed to be concerned about here just a package maintainer publishing malware that uses these exploits?

(Naively, not knowing much about apt-get or yum or other OS package managers, I have always assumed that 1. only a handful of trusted people can publish to the default repos for system package managers and 2. that since I have to run `apt-get install` as root anyway, package installers can completely pwn my system if they want to and I am protected purely by trust. Is some of that wrong? If it's right, isn't it nonsensical to be any more worried about installing new packages in light of these vulns?)

0 comments

roskilli2d ago

Well one thing is, there are package updates that could masquerade a backdoor much like XZ Utils[1].

The post in question points to dependency package managers however not system packages, such as NPM, which has pre and post build scripts, install scripts, etc.

[1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor

j / k navigate · click thread line to collapse

0 comments

roskilli2d ago

Well one thing is, there are package updates that could masquerade a backdoor much like XZ Utils[1].

The post in question points to dependency package managers however not system packages, such as NPM, which has pre and post build scripts, install scripts, etc.

[1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor

j / k navigate · click thread line to collapse