[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Robert wrote: > > All this stuff about how installing a .deb file from a projects website > rather than from the ubuntu/debian repositories could be dangerous is > frankly pants. Haven't really followed it but... http://www.omgubuntu.co.uk/2009/12/malware-found-in-screensaver-for-ubuntu.html http://www.omgubuntu.co.uk/2009/12/yet-more-malware-found-on-gnome-look.html > Exactly what nasties could be inserted? (OK probably some), Anything. Since debs are installed with root privileges they can do anything any software can. > but there > has never been a linux virus malware example seen in the wild. There is plenty of GNU/Linux malware out there. Most of it spreads via PHP vulnerabilities, uses known exploits to get root, and then installs kernel modules to hide itself. So most of it is a web server problem. Some spreads via SSH. Much of it is defeated by keeping things current, and using sensible settings but that is the same as in Microsoft Windows. That you haven't seen it doesn't mean it doesn't exist. It is less of an issue than on Microsoft Windows (hardly a big claim to fame), but last I looked there are 2.4 million hosts on the SSH DNS blacklists, I'll bet a large proportion of these are running GNU/Linux malware. > There has never been an example of a .deb file from a project website > installing one of these non-existent nasties! See above > If there had been someone would have noticed fast! It would have been > all over forums like this one and the perps well and truly outed. You are assuming malware gets spotted quickly. Depends what it is, say it just modifies sshd, or puts a kernel module in that allows remote shell access if a certain port sequence is tried, then it will probably sit until someone starts exploiting it. Sure if it spews, or tries to spread like a virus someone with twig fast. But there is different malware for different occasions. Almost all of it has some sort of auto-update mechanisms. If you place your repository in sources.list.d the auto-update comes free, I believe the Chromium package from Google takes this liberty with your system. Does the phrase "bait and switch" mean anything? Given Google's happiness to push their toolbar on people, would you want them having root on your system? Install their 3rd party Chromium package and they can update anything each time you run an "aptitude safe-upgrade". > So to > tell someone all this stuff about non existing dangers is paranoid, > irresponsible and hysterical. Neil's complaint was largely that badly formed deb files can mess up your system accidentally. i.e. Without the distro quality control you'll end up with Microsoft Windows quality package maintenance, with packages touching other packages files, or name space clashes, or breaking security updates, or leaving files behind that then mess up the official version of the same or similar named software. > As for compiling from source, well unless you're going to inspect it > line by line there could be anything in there! Indeed, but you won't mess up the dependencies of the deb files, and most things built with the GNU configure/automake tools will install in /usr/local and keep out of the way of packaged software. Just as risky for malware, but less risky from a maintenance perspective. There is nothing stopping people making 3rd party debs correctly, but basically if your 3rd party deb is well formed, and as good as a Debian one, email a DD, and they'll probably sponsor it (I expect the same goes for Ubuntu developers). Not as if Debian Developers are adverse to others doing the hard work. > People who spread this kind of FUD are probably paid to do it by closed > source copyrighted software organisations to scare people away from OSS! Yea right.... Better worry then because Neil is a DD, so his uploads end up in the Debian (and thence Ubuntu) repositories - so he has root on most of our systems (heck he also has the root password on mine!) - and if he is paid to spread FUD wouldn't it be easier for him just to install the malware centrally? Installation from the central repositories is no guarantee of freedom from malware, or the well-formed nature of packages. But there is a documented and maintained set of tests such packages must pass. These tools are free software, and a third party could use them, but rarely are third party repositories managed with that level of sophistication. I did use "dotdeb" for a while, which was reasonably well maintained, but it still created issues for me, and one day the versions I was interested "disappeared". Where as Debian repositories are archived, you can always roll back to any point in time (binary backward compatibility of software permitting). At the end of the day security is about keeping the systems running as well as protecting the data and integrity. Using the official repositories for the big distros will improve your chances on all of these fronts. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html