Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400186
To read all comments associated with this story, please click here.
RE[6]: Audit packages - Debian
by lemur2 on Thu 17th Dec 2009 22:37 UTC in reply to "RE[5]: Audit packages - Debian"
lemur2
Member since:
2007-02-17

It depends on the distribution. I think most of the security research community would be impressed if you could get a malicious package through Debian's vetting stages and into stable back-ports or testing repositories.


Exactly so.

Debian' use of package management goes back to the 1999-2004 timeframe.

http://en.wikipedia.org/wiki/Debian#History

No instance has ever been recorded of a mailicious package getting through the system yet, for many thousands of packages, over a decade timespan.

A few times in that period some Debian servers have been hacked. Some intruders even got root access, I beleieve. Even so, still no way was found to inject any hidden malware into the system.

Edited 2009-12-17 22:40 UTC

Reply Parent Score: 2