FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)
Thorsten Leemhuis
fedora at leemhuis.info
Thu Jun 1 15:43:11 UTC 2006
Am Donnerstag, den 01.06.2006, 11:36 -0400 schrieb seth vidal:
> On Thu, 2006-06-01 at 17:30 +0200, Thorsten Leemhuis wrote:
> > Am Donnerstag, den 01.06.2006, 11:09 -0400 schrieb seth vidal:
> > > On Thu, 2006-06-01 at 17:00 +0200, Thorsten Leemhuis wrote:
> > > > The biggest problem probably is: There are plans to switch away from CVS
> > > > to something else after FC6 (no, that's all I know). So investing to
> > > > much time in the current system probably is not worth the trouble.
> > > >
> > > > I would sleep already a lot better if at least the issue with "hit CTRL
> > > > +C at the right moment and no commit mail with the changes will be send"
> > > > would be fixed. But I don't know CVS enough and would be really glad if
> > > > someone could look into that.
> > > >
> > > > I would even sleep really good if there would be a mechanism that checks
> > > > md5sum's against upstream packages. But that's quite complicated to
> > > > implement and might be to much overhead.
> > > >
> > > Actually, is it all that complicated?
> > >
> > > for each package in cvs:
> > > 1. download the spec file
> > > 2. download the tarball that's been uploaded
> > > 3. download link in Source0 or Source
> > > 4. compare checksum to tarball's checksum
> > > 5. keep track of url to Source0 or Source and emit a notice whenever it
> > > changes
> > > wouldn't that really be all there is to it?.
> > Who says that the link to Source0 or Source is correct and not faked,
> > too? We would have to manage a whitelist for the script.
> Which is why it emits a notice about changes to that value.
Well, yeah, a external script that looks out for changes in that value
and checks the checksum could do the trick for 99% of the packages -- 1%
are still problematic because we have some modified tarballs where for
example mp3 support was removed (but that another problem and shouldn't
happen that often).
CU
thl
--
Thorsten Leemhuis <fedora at leemhuis.info>
More information about the fedora-extras-list
mailing list