FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)
Thorsten Leemhuis
fedora at leemhuis.info
Thu Jun 1 13:03:02 UTC 2006
Am Donnerstag, den 01.06.2006, 08:51 -0400 schrieb Konstantin Ryabitsev:
> On 6/1/06, Thorsten Leemhuis <fedora at leemhuis.info> wrote:
> > 1. create a package, prepare it for review
> > 2. get it reviewed and yourself sponsored
> > 3. import it and build
> > 4. checkout some popular packages, upload new tarballs with a slightly
> > different names and a root-kit in it. Modify the "Source0" accordingly
> > 5. commit the changes, hit "CTRL-C" at the right point of time so the
> > commit-message is not send to commits-list
> > 6. wait until the maintainer fixes something else in the package an
> > rebuilds it without noticing the changes done to CVS in between
> Most of us have locally checked out copies of our packages [...]
What makes your sure that "most of us" do it like that? I for example
don't have them because I work on my packages from multiple machines. So
I always do a fresh checkout (that way I always get a up2date common
directory, too).
And in any case: "- instead of "6.": build the modified packages
yourself -- chances are quite low that somebody will notice it" remains.
Cu
thl
More information about the fedora-extras-list
mailing list