Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430054
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 05:36 UTC in reply to "RE: Comment by lemur2"
lemur2
Member since:
2007-02-17

"Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.
And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. "

WTF????

Opposite situation. It is better for the outside developer to avail themselves of the resources of the distribution repository. Unlike Apple, this not a case of "your app can't be in our repository" ... where is there any profit in that?

But I say, be careful for what you wish for ... Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.


The "Distro Gods" are not in the business of trying to limit you. You can get, say, VLC, KDE, MPlayer, Firefox and OpenOffice on Debian, Ubuntu, SuSe, Mandriva and RedHat. It is the same code, it is not re-written dozens of times over by different "Distro Gods". Sheesh!

There are over 25,000 open source packages in Debian/Ubuntu repositories. This is hardly a case of anyone "playing God" and trying to somehow short-change you.

But, anyway, if your application is too obscure for a distribution to accept it (because after all they would have to devote resources to it if they did accept it) ... then you can still sign your packages and host them in a format suitable for delivery via end users package managers anyway. The only weakness here is that end users must add a URL to your distribution server in their software sources list, and they must obtain your public key securely from somewhere. There are key servers for that latter purpose.

For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go:
https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

Open a terminal and enter:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

There are over 18,000 projects on launchpad.net.

https://launchpad.net/

Edited 2010-06-15 05:45 UTC

Reply Parent Score: 1

RE[3]: Comment by lemur2
by WorknMan on Tue 15th Jun 2010 07:13 in reply to "RE[2]: Comment by lemur2"
WorknMan Member since:
2005-11-13

The "Distro Gods" are not in the business of trying to limit you.


I didn't say they were. Only thing I am saying is that, if you stick to your distro's repository, they are ultimately in control over what gets installed on your system. This is not really any different than the Apple app store.. Sure, their motives might be different (whereas Apple may decide a particular app goes against their profit motive, the Distro Gods may decide that the app is just not popular enough to worry about), but the choice of what you can install is still in the hands of somebody else, unless you seek outside sources, in which case you're opening yourself up to security issues.

For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go:
https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

Open a terminal and enter:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.


No, but they'd have to know about sudo, apt-get, package managers, and key servers. Somehow, that doesn't seem a whole lot less complicated.

Reply Parent Score: 2

RE[4]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 07:28 in reply to "RE[3]: Comment by lemur2"
lemur2 Member since:
2007-02-17

"For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go: https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa Open a terminal and enter: sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa sudo apt-get update sudo apt-get install firefox-3.7 This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.
No, but they'd have to know about sudo, apt-get, package managers, and key servers. Somehow, that doesn't seem a whole lot less complicated. "

Not at all. Users need to know only:
(1) How to "Open a terminal",
(2) How to highlight a line of text from this very web page as they are reading it,
(3) How to paste that copied text into the terminal application (hint: middle-click anywhere in the terminal window area)
(4) their password

They do that three times, once for each line (actually, they need to know their password only for the first line), and they are done.

It sin't hard. Select each line of text, one line at a time, in order, for the following three lines:
sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7


Then middle-click anywhere in the terminal window after each selection has been made.

Users don't even need to know how to type (except for their password, once only).

There is also a GUI way to do the same thing using Synaptic, but that is actually harder to describe on a text-based web forum such as this, and harder for users to actually carry out.

Anyway, had the vendors of the app which is the subject of this thread simply opened a launchpad.net account and copied their source tree there, this trojan would have been avoided for Ubuntu/Kubuntu users.

Edited 2010-06-15 07:36 UTC

Reply Parent Score: 2

RE[3]: Comment by lemur2
by Lennie on Tue 15th Jun 2010 07:49 in reply to "RE[2]: Comment by lemur2"
Lennie Member since:
2007-09-22

The problem with ppa is, who is behind the ppa/gpg-key ?

Yes, you can prove which lauchpad user it was, but that is about it (just like any other piece of software you download of the internet).

Atleast with a direct distribution-channel, you have a change more people have looked at it before it went in to a release.

Reply Parent Score: 2

RE[4]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 10:29 in reply to "RE[3]: Comment by lemur2"
lemur2 Member since:
2007-02-17

The problem with ppa is, who is behind the ppa/gpg-key ?


It is sent via a key server, and AFAIK that is itself an installation signed by Ubuntu's repository key.

Your key isn't just generated by yourself, you have to get "cred" for your key in order for it to get on a key server.

http://en.wikipedia.org/wiki/Key_signing_party

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

There was a huge shipment of Windows boxed copies on it's way to retail stores that got stopped by police a few years back. All counterfeit and riddled with malware. You can't even trust hardcopy distribution these days.. eesh..

Reply Parent Score: 2