The Security Risks Of Changing Package Owners
The security risks associated with changing package owners are not well documented. These include changes in access controls and user account management, as well as potential exposure to privilege escalation attacks on applications. This paper attempts to quantify these risks and provide recommendations for mitigating them.
If your package has a new owner, you’ll have to rebuild the packages. This can be a time consuming and difficult process, especially if there are many dependencies on it. Simply changing package owners without rebuilding can create major security risks due to other packages being affected by the changes.
The security risks of changing package owners are high, and using a package manager may not be an option in many cases. When you install a new version of an application or library, your risk increases if the new version contains bugs or vulnerabilities that those older versions don’t have. As you may recall from Chapter 3, there are different kinds of vulnerabilities: low-risk exploits that could allow attackers to gain root access to your system; medium-risk exploits that would require a user to knowingly run malicious code on their own machine; and high-risk exploits that could allow remote code execution onto another user’s machine remotely owned by you or multiple other users.