FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[seth vidal]

On Thu, 2006-06-01 at 17:30 +0200, Thorsten Leemhuis wrote:
> Am Donnerstag, den 01.06.2006, 11:09 -0400 schrieb seth vidal:
> > On Thu, 2006-06-01 at 17:00 +0200, Thorsten Leemhuis wrote:
> > > The biggest problem probably is: There are plans to switch away from CVS
> > > to something else after FC6 (no, that's all I know). So investing to
> > > much time in the current system probably is not worth the trouble.
> > > 
> > > I would sleep already a lot better if at least the issue with "hit CTRL
> > > +C at the right moment and no commit mail with the changes will be send"
> > > would be fixed. But I don't know CVS enough and would be really glad if
> > > someone could look into that. 
> > > 
> > > I would even sleep really good if there would be a mechanism that checks
> > > md5sum's against upstream packages. But that's quite complicated to
> > > implement and might be to much overhead.
> > > 
> > Actually, is it all that complicated?
> > 
> > for each package in cvs:
> >  1. download the spec file
> >  2. download the tarball that's been uploaded
> >  3. download link in Source0 or Source
> >  4. compare checksum to tarball's checksum
> >  5. keep track of url to Source0 or Source and emit a notice whenever it
> > changes
> >
> > wouldn't that really be all there is to it?.
> 
> Who says that the link to Source0 or Source is correct and not faked,
> too? We would have to manage a whitelist for the script.
> 

Which is why it emits a notice about changes to that value.

-sv