[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)



On 6/1/06, Thorsten Leemhuis <fedora leemhuis info> wrote:
1. create a package, prepare it for review
2. get it reviewed and yourself sponsored
3. import it and build
4. checkout some popular packages, upload new tarballs with a slightly
different names and a root-kit in it. Modify the "Source0" accordingly
5. commit the changes, hit "CTRL-C" at the right point of time so the
commit-message is not send to commits-list
6. wait until the maintainer fixes something else in the package an
rebuilds it without noticing the changes done to CVS in between

Most of us have locally checked out copies of our packages in the
extras CVS, so this won't work -- cvs commit will bail with "uptodate
check failed for foo.spec". The maintainer will go "whaaaa?", run CVS
diff, notice the updated Source0, go "that's funny, I don't remember
changing that," and then there will be a lot of ass-whoopin', as the
new source is downloaded and examined.

The system is less broken than you think.

--
Konstantin Ryabitsev
Montréal, Québec


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]