Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400005
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Bottom Line
by google_ninja on Wed 16th Dec 2009 22:56 UTC in reply to "RE: Bottom Line"
google_ninja
Member since:
2006-02-05

f anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.


Thats not really true.

As soon as you execute ANY executable code, you are putting full control of your computer into the hands of anyone who had the ability to modify that code before it got to you. I'm assuming you mean debian when you said package managers have an impeccable record, and I would totally agree with that. But that doesn't change that you are putting control of your computer into the hands of whoever has the ability to add or modify a package in a debian repo when you run it.

It is a matter of trust, and a question of degree.

In contrast, downloading binary blobs from websites and putting them on one's system is a way of life for Windows users. Mac users are possibly part way between these two extremes.


Mac users are in the same boat as windows users.

Reply Parent Score: 4

RE[3]: Bottom Line
by lemur2 on Thu 17th Dec 2009 00:57 in reply to "RE[2]: Bottom Line"
lemur2 Member since:
2007-02-17

As soon as you execute ANY executable code, you are putting full control of your computer into the hands of anyone who had the ability to modify that code before it got to you. I'm assuming you mean debian when you said package managers have an impeccable record, and I would totally agree with that. But that doesn't change that you are putting control of your computer into the hands of whoever has the ability to add or modify a package in a debian repo when you run it.

It is a matter of trust, and a question of degree.


No, I mean all distribution repositories. That is to say, those repositories of packages that are maintained by some distribution or another.

Debian has these, as does Fedora, Arch, Ubuntu, Mandriva, OpenSuse, Slackware ... almost any distribution. (Some smaller distributions leach off other repositories. For example, sidux uses the Debian sid repositories).

All of these have an impeccable record.

Debian and Ubuntu repositories include about 25,000 packages. "Smaller" distributions, such as Arch, will typically have only about 5,000 packages. This is largely a matter of the manpower available to maintain the repositories in each case.

As far as trust goes ... it is most decidely in the self-interest of the distribution to maintain the highest quality of its repositories. This is what the people involved themselves use for their own systems, and the quality of the distribution's repositories is what the entire reputation of the distribution hangs on.

As for whether or not you can trust the system ... well, having an impeccable record over many years for thousands of packages speaks a lot to that topic, wouldn't you say?

Edited 2009-12-17 01:00 UTC

Reply Parent Score: 2

RE[4]: Bottom Line - Red Hat
by jabbotts on Thu 17th Dec 2009 15:06 in reply to "RE[3]: Bottom Line"
jabbotts Member since:
2007-09-06

I believe it was Red Hat's repositories that where breached a year or two ago. The cause was a config error which allowed someone to push modified .rpm into some of the repository mirrors. I believe it was caught quickly and was due to a config error rather software flaws. It also doesn't mean all repositories are wide open. The repository should be the safest source for packages but one should still remain aware of what they are doing.

Reply Parent Score: 3

RE[4]: Bottom Line
by google_ninja on Thu 17th Dec 2009 22:33 in reply to "RE[3]: Bottom Line"
google_ninja Member since:
2006-02-05

In a general way I wasn't really arguing with you. My problem was "If you do this, you are safe". Its not that cut and dried. For example, debian has an extensive testing, maintenance, and QA process they follow, with checks built in to the package manager to prevent tampering, slackware is basically stuff pushed up to an FTP, and then mirrored out. I would trust debian a heck of a lot more then slack. (not to say I wouldn't trust slack, just that debian has more focus on this, and is more then one guy)

The same trust thing is true on windows, if you download something anonymously off of an anonymous torrent site, I would have a very low level of trust. If you download something off of source forge, I would have a much higher level of trust, although significantly less then from debian, and would probably verify the signature before installing it on a server. If I download something from Microsoft.com I would actually hope to get a virus, since they would probably be will to pay a lot of money to shut me up due to how much they have on the line ;-)

Too many people just want magic bullet solutions, and assume they are safe. It doesn't matter how many security products you have on windows, whether or not you use linux, or how you download your files. There is always a chance of bad things happening, it is all about doing things to lower the risk, and never just assuming you are safe.

Reply Parent Score: 2