Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400019
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: eugh @
by lemur2 on Thu 17th Dec 2009 00:46 UTC in reply to "eugh @"
lemur2
Member since:
2007-02-17

eugh @ "‘This minor incident highlights both the inherent strength of the repository system, as well as one of its weaknesses.’
GNOME-LOOK is a third party collection of themes that you can install at your own risk. It’s nearly the same as getting a porn pop-up with a .deb file link in. This has nothing to do with repository systems, and 100% to do with trust. "

Exactly. This trojan did not get to users systems via the repository/package manager system. It relied instead on users downloading an individual package via a web browser, and then installing it manually once it had been downloaded.

This instance actually serves to higlight the strength of the repository/package manager system.

Reply Parent Score: 5