FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Hans de Goede]

Thorsten Leemhuis wrote:
> Am Donnerstag, den 01.06.2006, 08:51 -0400 schrieb Konstantin Ryabitsev:
>> On 6/1/06, Thorsten Leemhuis <fedora at leemhuis.info> wrote:
>>> 1. create a package, prepare it for review
>>> 2. get it reviewed and yourself sponsored
>>> 3. import it and build
>>> 4. checkout some popular packages, upload new tarballs with a slightly
>>> different names and a root-kit in it. Modify the "Source0" accordingly
>>> 5. commit the changes, hit "CTRL-C" at the right point of time so the
>>> commit-message is not send to commits-list
>>> 6. wait until the maintainer fixes something else in the package an
>>> rebuilds it without noticing the changes done to CVS in between
>> Most of us have locally checked out copies of our packages [...]
> 
> What makes your sure that "most of us" do it like that? I for example
> don't have them because I work on my packages from multiple machines. So
> I always do a fresh checkout (that way I always get a up2date common
> directory, too).
> 
> And in any case: "- instead of "6.": build the modified packages
> yourself -- chances are quite low that somebody will notice it" remains.
> 

What I do is I have a checkout on each of the machines I develop on and 
do cvs update as needed, when I do an update I check that only files 
which I expect to change change. Making it quite hard (but not 
impossible) to sneak something in unseen.

As for the immediatly build it trick, I would notice this in the build 
report which I always read.

I'm not saying its impossible, I'm saying its not _that_ easy. Maybe we 
should write a couple of guidelines for packagerss on how they can check 
that there packages aren't modified by someone else without them 
knowing? Combine this with having more then one packager for the really 
popular packages and I think we're ok.

Regards,

Hans