Package manager security

Simon Hollingshead presented his Part II project on package management.

Abstract: We all install and update software. For over fifteen years,
use of APT and RPM packages have tried to simplify this process on Linux
and, in recent years, other vendors are starting to borrow the idea.
From the Windows Store to the Google Play Store, the idea of a central
hub for application distribution seems to be gaining traction.

In my talk, I will explain the general protocol used to communicate
between a client and a repository, then look at reasons why even matured
Linux implementations are inadequate, albeit easily fixable. I will
conclude by demonstrating a pair of attacks capable of forcing any Arch
Linux machine, like Lingnan’s or mine, to install
deliberately-vulnerable packages to potentially allow it to be taken over.