Re: Proposal for removal of mICQ package
On Fri, Feb 14, 2003 at 04:46:10AM +1000, Anthony Towns wrote:
> A trojan horse? It prints out something equivalent to "The Debian
> developer sucks, use my .debs instead", and exits. It does so in a way
> that's obfuscated. If it had been written as:
>
> long Feb11th = 1045000000;
> if (strcmp(me, "madkiss") == 0 && time(NULL) > Feb11th) {
> printf("Please don't use these debs, they're broken.\n");
> exit(99);
> }
I think the obfuscation is the point. He deliberately sneaked code
past the package maintainer. If the patch has been as you describe
(i.e. no hiding, and checking for _equal_ to "madkiss" rather than
anyone other than madkiss), then I wouldn't have much of a problem
with it. I'd want the timestamp check to be gone too, actually --
making the package blow up in the packager's face if EXTRAVERSION is
not set would have been a much more direct (and, I suspect, much more
effective) way to get his point across. Instead, he shows a fondness
for deception, and for that I distrust him.
(Note that as far as I know we haven't heard from Rüdiger yet, so
he can still change this impression.)
> As far as avoiding getting trojan horses in the distribution goes, isn't
> that why we have maintainers?
No. I agree that _this_ patch should have been spotted, but careful
checking by the Debian maintainer is not a substitute for trusting the
upstream source. Trojan code can be as simple as introducing a buffer
overflow that only the author knows about, and it can be just as hard
to spot.
Richard Braakman
Reply to: