Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400008
To read all comments associated with this story, please click here.
eugh @
by Beta on Wed 16th Dec 2009 23:33 UTC
Beta
Member since:
2005-07-06

eugh @

‘This minor incident highlights both the inherent strength of the repository system, as well as one of its weaknesses.’

GNOME-LOOK is a third party collection of themes that you can install at your own risk. It’s nearly the same as getting a porn pop-up with a .deb file link in.
This has nothing to do with repository systems, and 100% to do with trust.

Reply Score: 4

RE: eugh @
by lemur2 on Thu 17th Dec 2009 00:46 in reply to "eugh @"
lemur2 Member since:
2007-02-17

eugh @ "‘This minor incident highlights both the inherent strength of the repository system, as well as one of its weaknesses.’
GNOME-LOOK is a third party collection of themes that you can install at your own risk. It’s nearly the same as getting a porn pop-up with a .deb file link in. This has nothing to do with repository systems, and 100% to do with trust. "

Exactly. This trojan did not get to users systems via the repository/package manager system. It relied instead on users downloading an individual package via a web browser, and then installing it manually once it had been downloaded.

This instance actually serves to higlight the strength of the repository/package manager system.

Reply Parent Score: 5

RE: eugh @
by vivainio on Thu 17th Dec 2009 13:33 in reply to "eugh @"
vivainio Member since:
2008-12-26

This has nothing to do with repository systems, and 100% to do with trust.


Of course a repository system provides a degree of trust.

We actually need some kind of global "open source web of trust" system, and getting your key signed would require that:

- You are using your real name
- You have social security number and an address
- You are living in a country where police can throw you to jail if needed

Reply Parent Score: 2