Re: Bug#726393: general: Possible malware infections in source packages
On 16 October 2013 11:12, Marc Haber <firstname.lastname@example.org> wrote:
> On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George <email@example.com>
>>> Some of the source packages were caught on a gateway anti-virus scanner while
>>Using a gateway anti-virus scanner for downloads from the Debian archive
>>seems a bit inappropriate, well, paranoid. Checking the signed hashsums
>>would seem a lot better to verify the downloads; if Debian's
>>infrastructure were compromised so viruses could get in *and* be signed,
>>we and you have other problems.
> In many organisations it would be a _huge_ hassle to be allowed to
> Download Debian packages directly while bypassing the gateway scanner.
> It might even lead to a knee-jerk reaction like "This Debian thingy
> keeps setting off our security alerts, let's ban it and use a
> supported enterprise distro".
I have to join Marc here and say "me too". In my organisation we
actually have those controls in place (antivirus/antimalware) in the
Internet gateways and we do not disable them for specific traffic
flows unless a detailed risk analysis has been done (and approved).
Following a defence-in-depth approach, we don't rely in a single
control as Domink proposes (check signed hashsums and you are done)
but also inspect any incoming data from the Internet. From my point of
view this is not being paranoid, it is implementing best security