FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

Thu Jun 1 13:46:44 UTC 2006

Am Donnerstag, den 01.06.2006, 15:10 +0200 schrieb Hans de Goede:
> Thorsten Leemhuis wrote:
> > Am Donnerstag, den 01.06.2006, 08:51 -0400 schrieb Konstantin Ryabitsev:
> >> On 6/1/06, Thorsten Leemhuis <fedora at leemhuis.info> wrote:
> >>> 1. create a package, prepare it for review
> >>> 2. get it reviewed and yourself sponsored
> >>> 3. import it and build
> >>> 4. checkout some popular packages, upload new tarballs with a slightly
> >>> different names and a root-kit in it. Modify the "Source0" accordingly
> >>> 5. commit the changes, hit "CTRL-C" at the right point of time so the
> >>> commit-message is not send to commits-list
> >>> 6. wait until the maintainer fixes something else in the package an
> >>> rebuilds it without noticing the changes done to CVS in between
> >> Most of us have locally checked out copies of our packages [...]
> > What makes your sure that "most of us" do it like that? I for example
> > don't have them because I work on my packages from multiple machines. So
> > I always do a fresh checkout (that way I always get a up2date common
> > directory, too).
> > And in any case: "- instead of "6.": build the modified packages
> > yourself -- chances are quite low that somebody will notice it" remains.
> What I do is I have a checkout on each of the machines I develop on and 
> do cvs update as needed, when I do an update I check that only files 
> which I expect to change change. Making it quite hard (but not 
> impossible) to sneak something in unseen.
> 
> As for the immediatly build it trick, I would notice this in the build 
> report which I always read.

And yum would have installed it already on some machines if you were
asleep when the packages were pushed (not to mention that the packages
would be on several mirrors in between, too; and also ignoring the fact
we're all offline for longer now and then -- weekends, holidays,
illness, ...).

> I'm not saying its impossible, I'm saying its not _that_ easy.

I'm saying we can't make it impossible that something bad sneaks in, but
currently it's IMHO to easy and we should make it harder without making
it much harder for the contributors.

>  Maybe we 
> should write a couple of guidelines for packagerss on how they can check 
> that there packages aren't modified by someone else without them 
> knowing? Combine this with having more then one packager for the really 
> popular packages and I think we're ok.

That's a lot of work for the contributors, overloads them and has a high
risk that at least some contributors simply ignore the "guidelines" and
don't check there stuff properly IMHO. 

CU
thl