Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Permalink for comment 430041
To read all comments associated with this story, please click here.
RE: Catch 22
by lemur2 on Tue 15th Jun 2010 02:46 UTC in reply to "Catch 22"
lemur2
Member since:
2007-02-17

Even if a file is PGP/GPG signed, it could still have a trojan or security issue. Lots of software is installed from mirrors in Linux distros and each time you you do it you are trusting strangers and you don't know how many. Transparency and peer review are important, seems to me.


If you examine the source code, and test the application that the source code produces, and then sign that with GPG, then later on no-one else can come along and attach something else (and something malicious) to the tarball on your server.

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.


Had UnrealIRCd bothered to GPG sign the original Unreal3.2.8.1.tar.gz file with their repository key, then it could not have been replaced on their server or mirrors without triggering a GPG warning when anyone tried to install the trojaned version.

This is part of the way that Linux package managers actually work.

http://en.wikipedia.org/wiki/Package_management_system#Functions
Verifying file checksums to ensure correct and complete packages.
Verifying digital signatures to authenticate the origin of packages.


Edited 2010-06-15 02:51 UTC

Reply Parent Score: 2