[morganvachon]

Seeing this almost makes me want to switch back to Slackware for good. Using a Debian based OS has made me lazy; I love the convenience of being able to apt-get whatever I want to install instead of downloading the source and building my own packages. But when you can't even trust the package manager on the most widespread* distro? Basically every single package on my system is now suspect (I did immediately upgrade apt but any damage is already done).

*Speaking in terms of the number of derivatives that also use apt

[marcosdumay]

How did you trust those sites you downloaded the sources from when you used Slackware?

[morganvachon]

Because it's the software author's site? I don't know how much more trust you could get, beyond only installing the software you write yourself.

[jnbiche]

Yes, but how to you know it's actually the software author and that the software has not been modified?

If you're not manually checking the PGP-signed SHASUMs of the software you're downloading for slackware, you're not getting any more security the defective apt software we've been running on debian.

Edit: As pointed out by elosius, verifying SSL certs when you download packages would give you some degree of security (and that's what I often end up having to do on Windows), but unless you have access to signed digests from the package author, you won't get any better security than the broken debian apt system.

[morganvachon]

So then what's the difference between a broken apt not properly validating the source, and the user getting the source from the author, validating it by hand, and then compiling and installing? At least in the latter scenario, the user can be sure it's properly validated.

Personally, I'll choose the latter. Not only is apt a middleman, now it's a compromised middleman. Throw out the middleman and you have only yourself and the author.

[JacobEdelman]

You are willing to go through that much effort to download a single package? Sure I love my privacy and security but I have never had a problem on Ubuntu with that. If I ever have to do something particularly sensitive setting up a virtual machine or booting a different OS temporarily would be less effort.

[morganvachon]

Do I verify signatures when downloading and building from source on Slackware? Yes, I do. Slackware itself comes with nearly all the software I need already. The few programs I need to get beyond that, I always verify hashes. I do this using a script I wrote myself (I'm not a programmer by trade but I can bash out a script, no pun intended). I really don't understand why that's surprising; slackbuilds.org encourages its users to verify source tarballs before compiling, and it's a few seconds of extra work.

[brockers]

The location of the package isn't what makes it safe (i.e. cross-site vulnerabilities and such) but that the package signature matches the published signature from the author. Then it doesn't matter where you download the package. Does slackware do this verification for you?

[morganvachon]

When did I ever say I wouldn't verify signatures? Does everyone here just assume that because I didn't spell it out that I wouldn't do that?

The only difference between me validating the source and building and installing it myself, and trusting apt to do all that for me, is that apt has been proven to be vulnerable. I'm not going to purposely install non-vetted code on my system, but now it's been proven that apt very well might do that. Again, how is a broken apt more secure than me manually vetting the source, when it comes to my own system?

[eloisius]

I think what grandparent means is: did you verify the SSL cert properly, verify the digest of the source code you downloaded to ensure it's authentic, etc…

[morganvachon]

Well, the thing is, I can do all that by getting the source myself directly from the author. Trusting the apt package maintainer to do that places trust in a third party, and beyond that, it's now obvious that apt for who knows how long, was not trustworthy.

Again, I fail to see how getting the source directly from the author and verifying the integrity of the source package is less secure than getting it from third-parties in binary form?

[VLM]

"I can do all that by getting the source myself directly from the author."

Most people won't, making it a net loss to remove an automated system. Also I'm betting you're not getting the source from the author unless you know the author in meatspace. You're trusting his DVCS (github?) not to be owned and his account not to be owned, then trusting someones gzip / tar program, then trusting their webhost who holds that source code file.

There is the interesting aspect that you probably don't spend all your time on software XYZ, but the package maintainer probably does, so if there is funny business, a distro package maintainer is much more likely to notice than yourself.

[jerf]

Author source repos have been hacked before, they'll be hacked again.

I think what people are sensing, even if they can't put their finger on it, is that you're applying fairly arbitrary standards of what's good and bad here. In reality, security is hard to the point of sheer impossibility regardless of what you do, if you hold everything to equally strict standards. If this leads you to write off apt probably the only consistent thing to do is stop using software entirely, honestly. Nothing is secure to that standard, and even with "certified software" one would forever be wondering about whether the certifiers have their own motives. It seems disingenuous to try to use this as an excuse to slag apt specifically, when with the standards you're using you ought to be yelling about many more things, including your putative solution. (How are you sure your signature checking code wasn't compromised?)

[morganvachon]

> Author source repos have been hacked before, they'll be hacked again.

Yes, and when that happens it can affect apt packages and manual installations equally.

> I think what people are sensing, even if they can't put their finger on it, is that you're applying fairly arbitrary standards of what's good and bad here.

I think what's going on is that I made the mistake of saying what I'm inclined to do for me, in a forum that often follows a hive mind approach. I'm not bashing apt, nor Debian, all I said was that I'm inclined to go back to doing things the hard way because it's net more secure for me. I realize that in larger numbers, a system like apt (or yum or pacman) is more secure for users en masse, even factoring in temporary lapses like this. But that was never my focus; I was simply indicating that this would be the final push to send me back to familiar territory on my desktop. Everyone jumped on the bandwagon and tried to claim that I said I wouldn't verify source in Slackware, just so they could "win" a discussion and get fake internet points. It's one of the few things about this community that feels immature to me, but then I remind myself that here I'm an old fart surrounded by kids in college or just coming out of it. It's a completely different mindset.

> How are you sure your signature checking code wasn't compromised?

I covered this in another comment, but years ago I wrote a bog-simple script to verify hashes. My code wasn't compromised because it's my code.

[vezzy-fnord]

Slackware is hardly that much manual labor, either. You can grab precompiled tarballs from places like AlienBob and Slacky, or you can use the highly interactive, curses-driven sbopkg frontend to install from SlackBuilds in a way that I find is far more awe-striking than any other package manager I've used, if not necessarily that powerful.

There's still plenty of disinfo about it, though. Which is sad, as it is probably the only sane distro left (besides CRUX and Gentoo, perhaps). Patrick Volkerding really is a genius.

[morganvachon]

I agree completely, it's not that hard at all. Slackware was my proper introduction to the world of GNU/Linux back in the late 90s, and I always end up going back to it. Before the days of sbopkg, I always installed via ./configure -> make -> make install on the source anyway.

Another bonus of going back to Slack would be avoiding the looming systemd switch in Jessie. I'm still on the fence about it; I'm not a conspiracy nut who thinks it's trying to destroy GNU/Linux, but I don't care for how big it's getting either. So far Pat has been good about staying with a traditional "if it ain't broke don't fix it" approach, which I find comforting. Let the other guys deal with bleeding edge! :)