FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

Hans de Goede j.w.r.degoede at hhs.nl
Thu Jun 1 12:47:35 UTC 2006


Paul P Komkoff Jr wrote:
> Replying to Thorsten Leemhuis:
>> 4. checkout some popular packages, upload new tarballs with a slightly
>> different names and a root-kit in it. Modify the "Source0" accordingly  
>> 5. commit the changes, hit "CTRL-C" at the right point of time so the
>> commit-message is not send to commits-list
> 
> Either I am wrong or this clearly shows a major flaw in current
> infrastructure when any with commit access can modify anything in the
> extras tree?
> 

Flaw, more of a feature. I like the current openness of FE and I think 
we should be very carefull to not loose this openness.

I share Thl's worries, actually I kinda wisphered them into his ear, but 
  I was wisphering because I didn't want my worries to lead to a 
discussion which in turn could lead to a much more closed FE. We're a 
community distro, trust is important if not vital!

I personally I'm trying to be carefull with whom I sponsor, checking for 
privious oss work, etc and monitoring every move they make for sometime 
after I sponsor them untill I'm comfortable that they can be trusted.

I think people who want to inject malware into OSS will always find a 
way, the fact that this currently hasn't happened much shows that we're 
appearantly a healty community and that the riscs of getting caught are 
big enough to scare people away.

Regards,

Hans




More information about the fedora-extras-list mailing list