[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package

On Fri, Feb 14, 2003 at 04:46:10AM +1000, Anthony Towns wrote:
> A trojan horse? It prints out something equivalent to "The Debian
> developer sucks, use my .debs instead", and exits. It does so in a way
> that's obfuscated. If it had been written as:
>       long Feb11th = 1045000000;
>       if (strcmp(me, "madkiss") == 0 && time(NULL) > Feb11th) {
>               printf("Please don't use these debs, they're broken.\n");
>               exit(99);
>       }

I think the obfuscation is the point.  He deliberately sneaked code
past the package maintainer.  If the patch has been as you describe
(i.e. no hiding, and checking for _equal_ to "madkiss" rather than
anyone other than madkiss), then I wouldn't have much of a problem
with it.  I'd want the timestamp check to be gone too, actually --
making the package blow up in the packager's face if EXTRAVERSION is
not set would have been a much more direct (and, I suspect, much more
effective) way to get his point across.  Instead, he shows a fondness
for deception, and for that I distrust him.

(Note that as far as I know we haven't heard from Rüdiger yet, so
he can still change this impression.)

> As far as avoiding getting trojan horses in the distribution goes, isn't
> that why we have maintainers?

No.  I agree that _this_ patch should have been spotted, but careful
checking by the Debian maintainer is not a substitute for trusting the
upstream source.  Trojan code can be as simple as introducing a buffer
overflow that only the author knows about, and it can be just as hard
to spot.

Richard Braakman

Reply to: