Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400070
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Audit packages
by lemur2 on Thu 17th Dec 2009 08:39 UTC in reply to "RE[2]: Audit packages"
lemur2
Member since:
2007-02-17

"
I, personally, would maintain that it is better and easier (and far more thorough) to have the distribution's maintainers worry about auditing each package.


While I agree with you in that repositories are the way to go, I don't really believe the above is true. Package maintainers are just guys like you and me, with little time to audit packages. The constant flux of security updates is a testimony of this.
"

Their audit needs to be that the source code being compiled into the package is the correct latest released code from the project.

Their audit needs to be that the source code is compiled correctly for their particular distribution, and that the package is set with the correct dependencies. Their audit needs to be those dependencies are all already available in the repository.

Their audit needs to be that the binary that is present in the new package is correct against the source code (which is also correct against the project's source code revision system, such as GIT).

Their audit needs to be that it compiled correctly, without warnings, and that it runs when test installed.

If they audit all these things (and it is their interest to maintain the distribution's reputation), then their package in their repository will not contain malware.

It doesn't mean going over the code with a fine tooth comb, it means only that the package is a correct representation (for that distribution) of the project's released code. The distribution maintainers are the only people really in a position to do this audit.

End user's can definitely take advantage of this, and thereby guarantee their systems will not get malware. There will be no malware if everything is open, public, and all viewable by many poeple who did not write the code.

After all, malware can only exist in closed, secret binary blobs, whose workings are visible only to the original (malicious) author(s).

If you have any doubts about the efficacy of this system, remember, distributions repositories have an impeccable record so far, after many years use across many distributions for thousands of packages. "Guarantee" is not too strong a word.

Edited 2009-12-17 08:45 UTC

Reply Parent Score: 2

RE[4]: Audit packages
by strcpy on Thu 17th Dec 2009 15:01 in reply to "RE[3]: Audit packages"
strcpy Member since:
2009-05-20

Sure. No big disagreements there.

Yet, the packagers seldom audit the actual source code from which the binary is packaged.

I believe, as you, that the "audits" you mention are generally sufficient enough to ensure that no malware gets through. But that is not to say that no security vulnerabilities wouldn't get through.

Edited 2009-12-17 15:02 UTC

Reply Parent Score: 2

RE[5]: Audit packages - Debian
by jabbotts on Thu 17th Dec 2009 15:29 in reply to "RE[4]: Audit packages"
jabbotts Member since:
2007-09-06

It depends on the distribution. I think most of the security research community would be impressed if you could get a malicious package through Debian's vetting stages and into stable back-ports or testing repositories.

Reply Parent Score: 2

RE[5]: Audit packages
by lemur2 on Thu 17th Dec 2009 22:14 in reply to "RE[4]: Audit packages"
lemur2 Member since:
2007-02-17

Sure. No big disagreements there. Yet, the packagers seldom audit the actual source code from which the binary is packaged.


True.

That part is up to the original project itself.

By "project", I mean an open source collaborative development project, such as KDE, or GNOME, or Apache, or Mozilla, or whatever.

The projects audit their source code and submissions to their source coe.

The distributions audit that that source code faithfully gets on to end users systems.

Neither party does the work of the other. It is a collaboration involve multiple, independent individuals, all of who have an interest in ensuring the purity of the code.

It is also like a double-blind. No one malicious person (who might have an aim to infect end users systems with malware) gets to push the code the whole way through to end users systems.

Finally ... don't forget about the perfect record of this system. The proof is in the pudding, as they say.

Reply Parent Score: 2