Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400022
To read all comments associated with this story, please click here.
Audit packages
by 3rdalbum on Thu 17th Dec 2009 01:01 UTC
3rdalbum
Member since:
2008-05-26

Ubuntu has a tool for installing offline packages, called gDebi. gDebi has always been able to show you the names and locations of files that will be installed in the package; well the latest version actually allows you to look at the contents of the files before you install. You can even look at the Debian control scripts and the contents of gzipped files.

It would be a good idea to have a quick look at this information (the "Included Files" tab) before installing a package.

Of course, on Windows it's nearly impossible to audit the contents of their binary installers, and it's still not very easy to look at the contents of MSI packages on Windows. Kudos to Ubuntu and the gDebi developers for implementing this feature so conveniently, and more importantly doing it before this recent attack ever occurred.

Reply Score: 2

RE: Audit packages
by lemur2 on Thu 17th Dec 2009 01:08 in reply to "Audit packages"
lemur2 Member since:
2007-02-17

Ubuntu has a tool for installing offline packages, called gDebi. gDebi has always been able to show you the names and locations of files that will be installed in the package; well the latest version actually allows you to look at the contents of the files before you install. You can even look at the Debian control scripts and the contents of gzipped files. It would be a good idea to have a quick look at this information (the "Included Files" tab) before installing a package. Of course, on Windows it's nearly impossible to audit the contents of their binary installers, and it's still not very easy to look at the contents of MSI packages on Windows. Kudos to Ubuntu and the gDebi developers for implementing this feature so conveniently, and more importantly doing it before this recent attack ever occurred.


I, personally, would maintain that it is better and easier (and far more thorough) to have the distribution's maintainers worry about auditing each package.

If you stick to using the distributions repositories via the package manager, then that is what you are effectively doing.

Downloading packages (using a web browser or whatever) short-circuits the audit of the distribution's repository maintainers. Whoever made that package could have put anything at all in it. You would probably be very lucky to spot anything untoward yourself.

I, personally, would avoid downloading packages from outside the distribution's repository and installing them using gdebi (or dpkg, or whatever you are using). The reason why I would avaoid it is because you open yourself up to trojans if you do this (as indeed what happened in the original article that this thread is about).

Edited 2009-12-17 01:18 UTC

Reply Parent Score: 2

RE[2]: Audit packages
by strcpy on Thu 17th Dec 2009 07:22 in reply to "RE: Audit packages"
strcpy Member since:
2009-05-20


I, personally, would maintain that it is better and easier (and far more thorough) to have the distribution's maintainers worry about auditing each package.


While I agree with you in that repositories are the way to go, I don't really believe the above is true. Package maintainers are just guys like you and me, with little time to audit packages. The constant flux of security updates is a testimony of this.

Reply Parent Score: 2