[NBLUG/talk] Package Updater

Eric Eisenhart freiheit at gmail.com
Sat Jan 12 12:35:41 PST 2008


On Jan 12, 2008, at 8:00 AM, Jack Smith wrote:
> Fedora 8 came with a package updater that's always informing me that  
> "updates are available".  Should I be paranoid about this?  How  
> paranoid?  I am after all, giving _somebody_ root authority to  
> update my computer.

The way you talk about it makes it sound like somebody will be logging  
into your computer and running software for you -- that's not quite it.

The same people who put together the packages for Fedora 8 are the  
people that create the updated packages.  They use cryptographic  
signatures on the packages, so that you can be sure that the same  
people who created the disc you installed Fedora from are the ones  
that created the updates (or at least that they reviewed the updates).

When you run the package updater, it connects to one of the Fedora  
mirrors, asks it what the latest versions of everything in Fedora 8  
are, then compares that against what you have on your system and if  
there's something newer in Fedora that what you have installed, it  
prompts you to update to the newer packages.  If you say "yes", it  
will download them from the mirrors, check those signatures, and  
install the updated packages.  All the control happens on your side,  
the servers out there just let you download some files.

In other words: it's only giving somebody root to the extent that  
installing Fedora 8 in the first place is giving somebody root.  
Realistically, there's a certain amount of trust involved.  I don't  
know anybody who's ever inspected every byte of every piece of  
software they've ever installed on their system.  It's basically  
impossible to do, and wouldn't even be enough, since the problem is  
quite complicated.  You have to decide to trust somebody to do the  
right things.

The better application of your paranoia would be to install the   
updates.  Many of them fix security problems that could allow  
definitely bad people to take control of your computer.  Not  
installing updates because you're paranoid about somebody you've  
already trusted and instead letting malicious teenagers all over the  
world into your computer doesn't seem like a good choice to me.  :)




More information about the talk mailing list