Sorry, I don't get it. What's the chain of reasoning that connects "there are a couple of new Linux local privilege escalation exploits" to "don't install any new software"? Is the threat we're supposed to be concerned about here just a package maintainer publishing malware that uses these exploits?
(Naively, not knowing much about apt-get or yum or other OS package managers, I have always assumed that 1. only a handful of trusted people can publish to the default repos for system package managers and 2. that since I have to run `apt-get install` as root anyway, package installers can completely pwn my system if they want to and I am protected purely by trust. Is some of that wrong? If it's right, isn't it nonsensical to be any more worried about installing new packages in light of these vulns?)
Well one thing is, there are package updates that could masquerade a backdoor much like XZ Utils[1].
The post in question points to dependency package managers however not system packages, such as NPM, which has pre and post build scripts, install scripts, etc.
[1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor
> What's the chain of reasoning that connects "there are a couple of new Linux local privilege escalation exploits" to "don't install any new software"?
Right. I for one don't take advice from furries.
for unknown-to-me reasons, the overlap between furries and some of the smartest security people in the world is way more than you would think
You should in regards to computer security.