[svlug] Spinning down a SCSI disk

Rick Moen rick at linuxmafia.com
Thu Jul 17 12:51:47 PDT 2008

Quoting Karen Shaeffer (shaeffer at neuralscape.com):

> Hi Norm,
> That site is completely trustworthy. He is a scsi layer kernel developer.

I've noticed that people seem to underestimate the risks and
disadvantage of going to upstream code instead of distro packages.  They
start with the fact that, unless you're absolutely certain of the
security of your DNS and routing, what you think is the upstream site
could be an imposter (man in the middle attack).  However, even more of
a risk is the possibility that intruders have replaced the upstream
developer tarball (or repository check-in) with a tampered replacement.
Off the top of my head, I'm aware of this having happened in the past
with util-linux, dsniff, fragrouter/fragroute, sendmail, irssi, and tcpd
-- not to mention the briefly successful trojaning of Linux kernel code
at CVS-gateway kernel.bkbits.net in 2003.  So, are you checking gpg
signatures?  Do you know what signing keys are real and can be trusted?

On any well-run distro, your package manager vets downloaded code
against signatures the package maintainer believes can be trusted, to
verify that none of the contents have been tampered with, including
downstream from the original developer.

A good package maintainer will also steer you away from upstream code
that is too immature/buggy, will apply security patches, will ensure
that the package complies with distro policies, and so on.

More information about the svlug mailing list