Bug#726393: general: Possible malware infections in source packages
On 10/15/2013 03:09 PM, Dominique Dumont wrote:
On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote:
It isn't a false positive in that regard that the package *does* in fact
contain the virus sample. However, it *is* a false positive, as the
sample is there intentionally, and no virus scanner can guess the reason
why it is there. It does no harm in the location where it is, it will
not spread, so is it in fact a virus? No, it isn't.
I'm missing why the package cannot use the EICAR test virus signature for
In libmail-deliverystatus-bounceparser-perl case, the virus is used on the
non-regressions test which are shipped in the original tarball (and in Debian
*source* package). This virus is *not* shipped in Debian binary package.
OK, you have already closed the ticket. I was expecting to find a
general policy of "maintainers should not allow malware from upstream"
but apparently this not desired or the discussion belongs to somewhere else.
It doesn't really matter what is the intention; you are still allowing
spreading malware and potentially infecting users as they are publicly
accessible. Just fetching the source package will give you this nice
In most cases, samples can be replaced with EICAR or equivalent to
trigger the expected result, or tested with unit tests and proper mocking.
Software Engineer, Linux Team