FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Konstantin Ryabitsev]

On 6/1/06, Thorsten Leemhuis <fedora at leemhuis.info> wrote:
> 1. create a package, prepare it for review
> 2. get it reviewed and yourself sponsored
> 3. import it and build
> 4. checkout some popular packages, upload new tarballs with a slightly
> different names and a root-kit in it. Modify the "Source0" accordingly
> 5. commit the changes, hit "CTRL-C" at the right point of time so the
> commit-message is not send to commits-list
> 6. wait until the maintainer fixes something else in the package an
> rebuilds it without noticing the changes done to CVS in between

Most of us have locally checked out copies of our packages in the
extras CVS, so this won't work -- cvs commit will bail with "uptodate
check failed for foo.spec". The maintainer will go "whaaaa?", run CVS
diff, notice the updated Source0, go "that's funny, I don't remember
changing that," and then there will be a lot of ass-whoopin', as the
new source is downloaded and examined.

The system is less broken than you think.

-- 
Konstantin Ryabitsev
Montréal, Québec