Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430052
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by lemur2
by WorknMan on Tue 15th Jun 2010 05:02 UTC in reply to "Comment by lemur2"
WorknMan
Member since:
2005-11-13

Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.


And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. But I say, be careful for what you wish for ...

Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.

Reply Parent Score: 2

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 05:36 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

"Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.
And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. "

WTF????

Opposite situation. It is better for the outside developer to avail themselves of the resources of the distribution repository. Unlike Apple, this not a case of "your app can't be in our repository" ... where is there any profit in that?

But I say, be careful for what you wish for ... Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.


The "Distro Gods" are not in the business of trying to limit you. You can get, say, VLC, KDE, MPlayer, Firefox and OpenOffice on Debian, Ubuntu, SuSe, Mandriva and RedHat. It is the same code, it is not re-written dozens of times over by different "Distro Gods". Sheesh!

There are over 25,000 open source packages in Debian/Ubuntu repositories. This is hardly a case of anyone "playing God" and trying to somehow short-change you.

But, anyway, if your application is too obscure for a distribution to accept it (because after all they would have to devote resources to it if they did accept it) ... then you can still sign your packages and host them in a format suitable for delivery via end users package managers anyway. The only weakness here is that end users must add a URL to your distribution server in their software sources list, and they must obtain your public key securely from somewhere. There are key servers for that latter purpose.

For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go:
https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

Open a terminal and enter:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

There are over 18,000 projects on launchpad.net.

https://launchpad.net/

Edited 2010-06-15 05:45 UTC

Reply Parent Score: 1

RE[3]: Comment by lemur2
by WorknMan on Tue 15th Jun 2010 07:13 in reply to "RE[2]: Comment by lemur2"
WorknMan Member since:
2005-11-13

The "Distro Gods" are not in the business of trying to limit you.


I didn't say they were. Only thing I am saying is that, if you stick to your distro's repository, they are ultimately in control over what gets installed on your system. This is not really any different than the Apple app store.. Sure, their motives might be different (whereas Apple may decide a particular app goes against their profit motive, the Distro Gods may decide that the app is just not popular enough to worry about), but the choice of what you can install is still in the hands of somebody else, unless you seek outside sources, in which case you're opening yourself up to security issues.

For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go:
https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

Open a terminal and enter:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.


No, but they'd have to know about sudo, apt-get, package managers, and key servers. Somehow, that doesn't seem a whole lot less complicated.

Reply Parent Score: 2

RE[3]: Comment by lemur2
by Lennie on Tue 15th Jun 2010 07:49 in reply to "RE[2]: Comment by lemur2"
Lennie Member since:
2007-09-22

The problem with ppa is, who is behind the ppa/gpg-key ?

Yes, you can prove which lauchpad user it was, but that is about it (just like any other piece of software you download of the internet).

Atleast with a direct distribution-channel, you have a change more people have looked at it before it went in to a release.

Reply Parent Score: 2

RE[2]: Comment by lemur2 - file hash
by jabbotts on Tue 15th Jun 2010 19:42 in reply to "RE: Comment by lemur2"
jabbotts Member since:
2007-09-06

Shame the developers didn't provide a file hash for verification from the beginning. That would have at least caught this on it's way into any reputable distributions even if one-off home users didn't bother to verify.

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

Shame the developers didn't provide a file hash for verification from the beginning. That would have at least caught this on it's way into any reputable distributions even if one-off home users didn't bother to verify.


It wasn't in any distributions. Too obscure.

The whole reason the UnrealIRCd trojan happened was because distribution for this obscure package was done OUTSIDE of any distribution or package manager system.

UnrealIRCd for Linux was distributed in exactly the same way that Windows executables are often distributed. Because it was distributed this way, then just like those Windows packages it was able to be used to carry a trojan.

Edited 2010-06-15 23:08 UTC

Reply Parent Score: 2