Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400164
To read all comments associated with this story, please click here.
RE[2]: Bottom Line
by MamiyaOtaru on Thu 17th Dec 2009 19:56 UTC in reply to "RE: Bottom Line"
Member since:

There's several problems with package managers today though. There's so many packaging standards and mechanisms. This results in one tarball having to be packaged a whole bunch of times to reach most linux users. I realize here, that many distros use different versions of dynamic libraries and such, but there are the possibility to build "fat" binaries (not the correct term perhaps) that would fit the most common configurations, or a "golden standard" if you will.
It seems to me, none of the major distros are willing to work together to create such a standard, and a mechanism to work with it though.

Such a standard would bypass the advantages of a distro software repository as outlined by Lemur. You are proposing something that would allow third parties to package something up in binary format to be run by (m)any distro without being "audited" by the distro team. What they should be doing and all they should have to worry about is providing source code and letting the distros package it.

A universal binary format is only of interest to software that someone doesn't want distributed in source code format, which really doesn't belong on an open system, at least according to some. Such a format is certainly not an answer to the security questions posed by the poisoned theme in the article.

Reply Parent Score: 2