[svlug] svlug Digest, Vol 335, Issue 14

[norm@dad.org]

From: Rick Moen <rick at linuxmafia.com>
>Precedence: list
>Subject: Re: [svlug] Spinning down a SCSI disk
>Date: Thu, 17 Jul 2008 12:51:47 -0700
>To: svlug at lists.svlug.org
>References: <20080711231928.GA8256 at synapse.neuralscape.com>
><200807120102.m6C12vSb091276 at shell.rawbw.com>
man in the middle attack).  However, even more of
>a risk is the possibility that intruders have replaced the upstream
>developer tarball (or repository check-in) with a tampered replacement.
>Off the top of my head, I'm aware of this having happened in the past
>with util-linux, dsniff, fragrouter/fragroute, sendmail, irssi, and tcpd
>-- not to mention the briefly successful trojaning of Linux kernel code
>at CVS-gateway kernel.bkbits.net in 2003.  So, are you checking gpg
>signatures?  Do you know what signing keys are real and can be trusted?
>
>On any well-run distro, your package manager vets downloaded code
>against signatures the package maintainer believes can be trusted, to
>verify that none of the contents have been tampered with, including
>downstream from the original developer.
>
>A good package maintainer will also steer you away from upstream code
>that is too immature/buggy, will apply security patches, will ensure
>that the package complies with distro policies, and so on.

I'm using RedHat 4.0 (Yeah, I know that was a bad choice). It does not have a
package for sdparm .

I did find a package, sdparm-1.03-1.i386.rpm, at
http://sg.torque.net/sg/sdparm.html. But I ran into dependency problems that I
couldn't resolve. So I had to download sdparm-1.03.tgz, from that site, to build
sdparm. It built with no problem. SO FAR, I've had no problems using it.


    Norman Shapiro
    798 Barron Avenue
    Palo Alto CA 94306-3109
    (650) 565-8215
    norm at dad.org