FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[seth vidal]

On Thu, 2006-06-01 at 17:00 +0200, Thorsten Leemhuis wrote:

> The biggest problem probably is: There are plans to switch away from CVS
> to something else after FC6 (no, that's all I know). So investing to
> much time in the current system probably is not worth the trouble.
> 
> I would sleep already a lot better if at least the issue with "hit CTRL
> +C at the right moment and no commit mail with the changes will be send"
> would be fixed. But I don't know CVS enough and would be really glad if
> someone could look into that. 
> 
> I would even sleep really good if there would be a mechanism that checks
> md5sum's against upstream packages. But that's quite complicated to
> implement and might be to much overhead.
> 

Actually, is it all that complicated?

for each package in cvs:
 1. download the spec file
 2. download the tarball that's been uploaded
 3. download link in Source0 or Source
 4. compare checksum to tarball's checksum
 5. keep track of url to Source0 or Source and emit a notice whenever it
changes


wouldn't that really be all there is to it?.

it'd require a fair bit of bandwidth but not much else.

-sv