Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400186
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[6]: Audit packages - Debian
by lemur2 on Thu 17th Dec 2009 22:37 UTC in reply to "RE[5]: Audit packages - Debian"
lemur2
Member since:
2007-02-17

It depends on the distribution. I think most of the security research community would be impressed if you could get a malicious package through Debian's vetting stages and into stable back-ports or testing repositories.


Exactly so.

Debian' use of package management goes back to the 1999-2004 timeframe.

http://en.wikipedia.org/wiki/Debian#History

No instance has ever been recorded of a mailicious package getting through the system yet, for many thousands of packages, over a decade timespan.

A few times in that period some Debian servers have been hacked. Some intruders even got root access, I beleieve. Even so, still no way was found to inject any hidden malware into the system.

Edited 2009-12-17 22:40 UTC

Reply Parent Score: 2