OSNews is Exploring the Future of Computing

Linux IRC Server Gets Trojan, Press Harps On Linux Security

Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC

Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.

5 · Read More · 111 Comment(s)

http://osne.ws/i3c

Permalink for comment 430054
To read all comments associated with this story, please click here.

RE[2]: Comment by lemur2

by lemur2 on Tue 15th Jun 2010 05:36 UTC in reply to "RE: Comment by lemur2"

Member since:
2007-02-17

"Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.

And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. "

WTF????

Opposite situation. It is better for the outside developer to avail themselves of the resources of the distribution repository. Unlike Apple, this not a case of "your app can't be in our repository" ... where is there any profit in that?

But I say, be careful for what you wish for ... Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.

The "Distro Gods" are not in the business of trying to limit you. You can get, say, VLC, KDE, MPlayer, Firefox and OpenOffice on Debian, Ubuntu, SuSe, Mandriva and RedHat. It is the same code, it is not re-written dozens of times over by different "Distro Gods". Sheesh!

There are over 25,000 open source packages in Debian/Ubuntu repositories. This is hardly a case of anyone "playing God" and trying to somehow short-change you.

But, anyway, if your application is too obscure for a distribution to accept it (because after all they would have to devote resources to it if they did accept it) ... then you can still sign your packages and host them in a format suitable for delivery via end users package managers anyway. The only weakness here is that end users must add a URL to your distribution server in their software sources list, and they must obtain your public key securely from somewhere. There are key servers for that latter purpose.

For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go:
https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

Open a terminal and enter:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

There are over 18,000 projects on launchpad.net.

https://launchpad.net/

Edited 2010-06-15 05:45 UTC

Reply Parent Score: 1