FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

Konstantin Ryabitsev icon at fedoraproject.org
Thu Jun 1 14:06:54 UTC 2006 

On 6/1/06, Thorsten Leemhuis <fedora at leemhuis.info> wrote:
> What makes your sure that "most of us" do it like that? I for example
> don't have them because I work on my packages from multiple machines. So
> I always do a fresh checkout (that way I always get a up2date common
> directory, too).

Then maybe YOUR practices should be questioned, not everyone's. If you
don't zealously track CVS commits to your packages, then you are the
broken part, not the system.

> And in any case: "- instead of "6.": build the modified packages
> yourself -- chances are quite low that somebody will notice it" remains.

You can check out my packages, trojan them, cvs commit them, and build
them. They will get signed and get released. However, since I follow
the new releases for Extras, I will quickly notice that something went
wrong, and perform the needed steps to pull it.

1. Yes, you will succeed in trojaning my packages for a brief while
2. This won't take very long to get noticed
3. You will be dealt with accordingly -- most likely involving the
police/fbi/etc

We are not working in a fully anonymous environment -- there is a
certain level of trust between the members of the Extras packaging
community. Getting CVS commit access requires certain steps that
usually weed out your regular pranksters (including sending a signed
fax to RH HQ), and if you are totally hell-bent on poisoning the
system, then there's little we can do short of making the process even
more arduous and slow for everyone who wants to participate.

In any case, this isn't a contingency we should really be spending
that much time over, short of potentially developing a system of ACLs
that would restrict CVS commits only to the actual package owners. We
can safely assume that as time passes, the chances of having a
trojaned package in Extras approacheth 100%. Therefore, instead of
hand-wringing and self-flagellating, let's work out a coarse of
actions to take if someone, indeed, manages to sneak through a
trojaned package.

Regards,
--
Konstantin Ryabitsev
Montréal, Québec

More information about the fedora-extras-list mailing list