Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400001
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Bottom Line
by ple_mono on Wed 16th Dec 2009 22:41 UTC in reply to "Bottom Line"
ple_mono
Member since:
2005-07-26

I agree. There's several problems with package managers today though. There's so many packaging standards and mechanisms. This results in one tarball having to be packaged a whole bunch of times to reach most linux users. I realize here, that many distros use different versions of dynamic libraries and such, but there are the possibility to build "fat" binaries (not the correct term perhaps) that would fit the most common configurations, or a "golden standard" if you will.
It seems to me, none of the major distros are willing to work together to create such a standard, and a mechanism to work with it though. It could in theory bring packages to a much wider audience, with less work being done by the maintainers = more time to work on packaging stuff that end up at gnome-look.org etc as it is now.

That is not the only problem IMHO. There should be some way for users to install packages, contained in their $HOME only (or a mechanism to install packages per user, or group), without root privilegies. Themes don't have to be friggin installed as root, to the system root! But, to be honest, it would be nice if one could install regular applications this way too. In this recent case with the .deb from gnome-look, this method could have significantly minimized the damage a "rouge" binary could have done to the system..

Reply Parent Score: 4

RE[2]: Bottom Line
by lemur2 on Thu 17th Dec 2009 00:42 in reply to "RE: Bottom Line"
lemur2 Member since:
2007-02-17

This results in one tarball having to be packaged a whole bunch of times to reach most linux users.


Typically, this is handled by a division of responsibility.

A "project", such as KDE, will work on source code. They will typically use a source code management system (perhaps SVN or GIT), and they will have a community of developers, maintainers and testers etc, etc.

Once a project releases a new version, then the repositories take that source code, compile it for their given distribution with switches for their supported architecture(s) and directory structures, make sure it works against all of its dependencies at the version they are at in the distribution, and then if all is OK, package it (into a .deb or a .rpm or a .tgz or whatever that distribution uses) and include it in the repository storage area, and index the newly updated package in the repository index files.

There is one set of application developers, and one or more package maintainer at each distribution.

It isn't too onerous. It typically works well enough, even to the extent that it is possible to have one-man distributions.

Reply Parent Score: 3

RE[2]: Bottom Line - KDE4 does this well
by jabbotts on Thu 17th Dec 2009 15:16 in reply to "RE: Bottom Line"
jabbotts Member since:
2007-09-06

For general package install, I shudder to consider a system that allows users accounts to toss anything they want on there. I already have that with Windows allowing things like Skype to install without admin privileges. Reducing the required privileged to install software is just not good thinking.

Now, for things like DE themes, KDE4 actually does just that. In the desktop properties one can select from the provided backgrounds or click "get more" resulting in a a list of themes and such available for download. Select them background or theme and down it comes into the user's ~/.kde without admin privileged. This sort of thing is less of a concern because it's not executable code user's can easily be fooled into downloading (wow.. another naked-britney.exe.. I must have it). The security issue returns to the vulnerability in the chair-keyboard interface rather than that and the design flaw of promoting user installed executables.

Reply Parent Score: 2

RE[2]: Bottom Line
by MamiyaOtaru on Thu 17th Dec 2009 19:56 in reply to "RE: Bottom Line"
MamiyaOtaru Member since:
2005-11-11

There's several problems with package managers today though. There's so many packaging standards and mechanisms. This results in one tarball having to be packaged a whole bunch of times to reach most linux users. I realize here, that many distros use different versions of dynamic libraries and such, but there are the possibility to build "fat" binaries (not the correct term perhaps) that would fit the most common configurations, or a "golden standard" if you will.
It seems to me, none of the major distros are willing to work together to create such a standard, and a mechanism to work with it though.


Such a standard would bypass the advantages of a distro software repository as outlined by Lemur. You are proposing something that would allow third parties to package something up in binary format to be run by (m)any distro without being "audited" by the distro team. What they should be doing and all they should have to worry about is providing source code and letting the distros package it.

A universal binary format is only of interest to software that someone doesn't want distributed in source code format, which really doesn't belong on an open system, at least according to some. Such a format is certainly not an answer to the security questions posed by the poisoned theme in the article.

Reply Parent Score: 2