Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430066
To view parent comment, click here.
To read all comments associated with this story, please click here.
Most of it is Hype, but not from OSNews
by Lennie on Tue 15th Jun 2010 07:41 UTC in reply to "Comment by ssa2204"
Lennie
Member since:
2007-09-22

I've seen many sources, for example:

http://www.zdnet.com/blog/bott/linux-infection-proves-windows-malwa...

As r_a_trip already mentioned:

"The incident has nothing to do with Operating System or development methodology (open or closed).

The take away is that sloppy software projects, with a non-existent security process will sooner or later get compromised and serve their customers poisoned goods. Could happen anywhere, irrespective of platform or chosen software licensing."

And that's the only useful response.

But it seems the Gentoo folks were being stupid too:

http://www.gentoo.org/security/en/glsa/glsa-201006-21.xml

Atleast ALL distributions are now warned and thank god it was only the UnrealIRCd.

When you are creating packages for distributions, you should get the source from the source, not some mirror as in the case of Gentoo. You should check md5-keys at the source.

When it's a smaller package I wouldn't be surprised many package maintainers also take a look at the patch between the versions. So you know exactly what changed between versions.

Edited 2010-06-15 07:56 UTC

Reply Parent Score: 2

Lennie Member since:
2007-09-22

I would like to add, it's not a perfect system, their are humans involved, they make mistakes.

But at the end of the day, you are putting software together from different sources. They should probably be contained as much as possible, also from each other.

And maybe you automate this a bit more and I hope we can improve on it. But eventually it will originate from a human being. A programmer. The Linux-kernel programmers use git to keep track of the origin of every single line of code that goes in to the kernel and every line is reviewed.

If we verify everything along the way into the distributions and the tools check the packages and files at (regularly and) at installation time, then that is probably the best thing we can do.

Reply Parent Score: 2