On Thu, 7 Mar 2013 15:14:42 +0100, Nick Copeland wrote
Of course. It'll be as vulnerable as the compiled ardour you download from
a hacked server ;-)
> Is the code signed?
Probably not. It might be possible to provide checksums (wich you would have to
commuincate over a secure channel ...) but in the presence of line-end conversion
et al. even that is non-trivial.
> What I am getting at is that if you install ardour using a root account but the
Yes. That's pretty obvious. Almost the same is true for non-root installs as well.
Just install a backgound process that logs all X-events (key-down ...) and you'll
be able to get root access.
Iff you protection against this kind of exploits you pretty much need to audit you
code base or use distributions that use signed packages. Trust your
audit, those are the only options you have.
> I doubt this since if I wanted to own a few systems then I would not leave the
Which distribution _doesn't_ sign it's packages? What code is weakly protected?
Even most major download/DVCS sites use secure communication channels these days
(https). The problem is the naive asumption that self-compiled code would be more
secure. Not a Linux problem, I'd say ...
Cheers Ralf Mattes
> Regards, nick.
R. Mattes -
Hochschule fuer Musik Freiburg
Linux-audio-user mailing list