Manoj Srivastava wrote: > But is the person in question tested it, it would have > worked -- the 'xploit was clever enough to test for the presence [...] > Unstable is an integral part of testing an QA process for > debian -- the precise user base that the micq trojan targeted. This was not an "exploit", nor was it a "trojan". The program simply refused to function normally if compiled in the particular way that the Debian maintainer typically did it (without any defined value for EXTRAVERSION, against upstream's clearly-expressed wishes), when run by anyone other than the Debian maintainer. It was a childishly petulant thing to do, but it makes no sense to call it an "exploit", as if it were somehow compromising the security of the end user's machine (it wasn't), nor to call it a "trojan", as if it were sneakily doing something behind the end user's back (it wasn't; the refusal to run is quite obvious when it happens, and the program is quite up-front about what it is doing and why). Even to call it an "exploit" of the Debian development process is silly, since it's surely quite normal for new versions of programs to have behaviors (intentional or otherwise) that the package maintainer doesn't know about. Had upstream simply left out the specific reference to the Debian maintainer, and perhaps made the package refuse to compile (or compile to an obviously non-working binary) without a reasonable value for EXTRAVERSION, then this would all be a complete non-issue. His mistakes were simply to make his patch Debian-specific, to obfuscate it, and to make it fail only when connecting to a server and only if the user was not the Debian maintainer. That was obnoxious, but it falls far short of being destructive or even particularly malicious. It really comes off as little more than a practical joke played by someone who was already quite justifiably annoyed with the behavior of Debian's micq maintainer. It was childish and somewhat irresponsible, but no more so than describing it as a "trojan". Craig
Attachment:
pgp2ejCOyIG9f.pgp
Description: PGP signature