Christoph Anton Mitterer: > Hey. > > I've decided that I think it's important to CC this d-d: > Debian has a good system of securing packages and making sure that only > signed stuff comes to the user. > Over time I've seen many holes in this: > - packages that are just wrapper packages, download something from > somewhere without doing any > hashsum checks at all I'm as concerned as you are and collected some examples over time that might give a perspective: http://www.koch.ro/blog/index.php?/archives/153-On-distributing-binaries.html September 2009 Apache.org got hacked - twice in eight months. December 2010 The proftpd Source Code contains a backdoor January 2011 Sourceforge, one of the biggest distributor of free software, got hacked. June 2011 The Wordpress Plugins AddThis, WPtouch and W3 Total Cache contain backdoors July 2011 The vsftpd server download was replaced with a hacked version July 2011 VLC suffers from Companies spreading Malware bundled with VLC August 2011 kernel.org got hacked September 2011 MySQL.com hacked to server malware November 2011 Takedown of the largest botnet ever. DNS resolving of the bots was compromised. December 2011 Does download.com enrich their downloads with malware? February 2012 unnoticed for 3 months, the Horde project served compromised downloads I think as a start it should be made a policy that any "wrapper" package that downloads code from the net must at least do a strong checksum check on the downloaded code. What about a debhelper script that receives an URL (or set of mirror URLs) and a SHA1 and does the download and check? Regards, Thomas Koch, http://www.koch.ro
Description: This is a digitally signed message part.