FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)
Thorsten Leemhuis
fedora at leemhuis.info
Thu Jun 1 15:30:27 UTC 2006
Am Donnerstag, den 01.06.2006, 11:09 -0400 schrieb seth vidal:
> On Thu, 2006-06-01 at 17:00 +0200, Thorsten Leemhuis wrote:
> > The biggest problem probably is: There are plans to switch away from CVS
> > to something else after FC6 (no, that's all I know). So investing to
> > much time in the current system probably is not worth the trouble.
> >
> > I would sleep already a lot better if at least the issue with "hit CTRL
> > +C at the right moment and no commit mail with the changes will be send"
> > would be fixed. But I don't know CVS enough and would be really glad if
> > someone could look into that.
> >
> > I would even sleep really good if there would be a mechanism that checks
> > md5sum's against upstream packages. But that's quite complicated to
> > implement and might be to much overhead.
> >
> Actually, is it all that complicated?
>
> for each package in cvs:
> 1. download the spec file
> 2. download the tarball that's been uploaded
> 3. download link in Source0 or Source
> 4. compare checksum to tarball's checksum
> 5. keep track of url to Source0 or Source and emit a notice whenever it
> changes
>
> wouldn't that really be all there is to it?.
Who says that the link to Source0 or Source is correct and not faked,
too? We would have to manage a whitelist for the script.
CU
thl
--
Thorsten Leemhuis <fedora at leemhuis.info>
More information about the fedora-extras-list
mailing list