Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430168
To view parent comment, click here.
To read all comments associated with this story, please click here.
jabbotts
Member since:
2007-09-06

I give you.. Debian Stable. EnGard Secure Linux would be a good choice if the machine your protecting justifies it. Maybe not Damn Vulnerable Linux though. ;)

Seriously though, this is really more of an example of how fast issues can be patched once discovered and a pretty good case study for how things can go badly. I'm adding it to my library beside the Debian OpenSSL issue from a year or so ago where a developer ignored the Debian policies and processes.

These things happen with all software but the repository distribution method continues to have a low (nearly nothing) case history of such issues; especially compared to other software distribution methods.

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

These things happen with all software but the repository distribution method continues to have a low (nearly nothing) case history of such issues; especially compared to other software distribution methods.


Just to be clear ... the repository distribution system has a perfect record. Exactly nothing has ever happened, in terms of malware getting on to end users systems. This particular trojan incident had nothing at all do with the repository distribution system.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

So, how many times are you going to ignore Gentoo then? It got into the distribution. It got into the Gentoo repositories. It got onto end user machines if they installed UnrealIRCd from the Gentoo repositories. More importantly, Gentoo had the fixed package available pretty much immediately after fixed source was available from UnrealIRCd.

I'll agree fully that repository distribution has the most solid history so far but let's not be deluded and seriously say "never has happened, never will happen".

Reply Parent Score: 2