Updates

One of the great things about free software is that people can easily take a functional program or library and customize it as they see fit. Anyone can come along, submit bug fixes or improvements, and they can be easily shared across many people, projects, and organizations. With distribution systems like Python’s pypi, there is an update channel that the trusted maintainers can publish fixes so consumers of the library can easily get updates. [Read More]

There is a new vulnerability in Debian’s apt that allows anything that can Man-in-the-Middle (MITM) your traffic to get root on your Debian/Ubuntu/etc boxes. Using encrypted connections for downloading updates, like HTTPS or Tor Onion Services, reduces this vulnerability to requiring root on the mirror server in order to exploit it. That is a drastic reduction in exposure. We have been pushing for this since 2014, and Debian, mirror operators, and others in the ecosystem have taken some big steps towards making this the standard. [Read More]