Christoph Anton Mitterer:
> Hey.
>
> I've decided that I think it's important to CC this d-d:
> Debian has a good system of securing packages and making sure that only
> signed stuff comes to the user.
> Over time I've seen many holes in this:
> - packages that are just wrapper packages, download something from
> somewhere without doing any
> hashsum checks at all
I'm as concerned as you are and collected some examples over time that might
give a perspective:
http://www.koch.ro/blog/index.php?/archives/153-On-distributing-binaries.html
September 2009 Apache.org got hacked - twice in eight months.
December 2010 The proftpd Source Code contains a backdoor
January 2011 Sourceforge, one of the biggest distributor of free software,
got hacked.
June 2011 The Wordpress Plugins AddThis, WPtouch and W3 Total Cache
contain backdoors
July 2011 The vsftpd server download was replaced with a hacked version
July 2011 VLC suffers from Companies spreading Malware bundled with VLC
August 2011 kernel.org got hacked
September 2011 MySQL.com hacked to server malware
November 2011 Takedown of the largest botnet ever. DNS resolving of the
bots was compromised.
December 2011 Does download.com enrich their downloads with malware?
February 2012 unnoticed for 3 months, the Horde project served compromised
downloads
I think as a start it should be made a policy that any "wrapper" package that
downloads code from the net must at least do a strong checksum check on the
downloaded code.
What about a debhelper script that receives an URL (or set of mirror URLs) and
a SHA1 and does the download and check?
Regards,
Thomas Koch, http://www.koch.ro
Attachment:
signature.asc
Description: This is a digitally signed message part.