On 10/15/2013 03:09 PM, Dominique Dumont wrote:
On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote:It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't.I'm missing why the package cannot use the EICAR test virus signature for its purposes.In libmail-deliverystatus-bounceparser-perl case, the virus is used on the non-regressions test which are shipped in the original tarball (and in Debian *source* package). This virus is *not* shipped in Debian binary package. HTH
OK, you have already closed the ticket. I was expecting to find a general policy of "maintainers should not allow malware from upstream" but apparently this not desired or the discussion belongs to somewhere else.
It doesn't really matter what is the intention; you are still allowing spreading malware and potentially infecting users as they are publicly accessible. Just fetching the source package will give you this nice surprise.
In most cases, samples can be replaced with EICAR or equivalent to trigger the expected result, or tested with unit tests and proper mocking.
-- Jarkko Palviainen Software Engineer, Linux Team F-Secure Corporation