LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-03-2006, 03:07 PM   #1
wakeboarder3780
Member
 
Registered: Mar 2006
Distribution: Ubuntu 6.10
Posts: 112

Rep: Reputation: 15
question about malicious pkg creation


I just have a general question about packages. Not that I don't trust the people that write the code for linux out there, I'm sure there are a lot of awesome programmers behind the movement or it wouldn't be where it is today. But banking on the idea that there are always few bad apples that ruin the bunch, what assurances do we have that some program, or pkg X we install doesn't have a security back door written into it, or <insert some malicious idea here> ? Not trying to make anyone angry but I'm just curious how it all works.
 
Old 05-03-2006, 03:15 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
I don't know about other distros, but I know Debian has a pretty thorough review and high standards for any packages that are included in the repositories (for stable and testing at least, not sure about unstable). One of the things about open source software is that you typically have a lot of eyes parsing through the code. I guess it might be possible for a large scale conspiracy, but I'd think it was generally uncommon, IMHO.
 
Old 05-03-2006, 03:18 PM   #3
wakeboarder3780
Member
 
Registered: Mar 2006
Distribution: Ubuntu 6.10
Posts: 112

Original Poster
Rep: Reputation: 15
So code review is distro-specific? I was under the impression poor Linus had to review everything. I was thinking to myself, man it's a wonder that poor guy gets anything done at all!
 
Old 05-03-2006, 03:21 PM   #4
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Well, code for the kernel is done mostly by members of kernel.org. I think Linus has several deputies who have authority to add code to the official tree and review it. He of course has final say.

But all other packages are handled on a repository specific review. Things that are good enough (i.e. slightly buggy) might be good enough for Ubuntu, but on Debian, they may fail to compile on one of the 11 architectures supported, so it doesn't get into the stable repos. Only things that have been deemed bug free and compile/run properly on all the Debian supported architectures are in the stable repositories.
 
Old 05-03-2006, 03:28 PM   #5
wakeboarder3780
Member
 
Registered: Mar 2006
Distribution: Ubuntu 6.10
Posts: 112

Original Poster
Rep: Reputation: 15
normally i would be embarassed to ask, but it IS the newbie sections so, what is a respository? Just a distro's dumping grounds for all the pkgs?
 
Old 05-03-2006, 03:37 PM   #6
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Yeah basically.

Repositories are just a collection of software. Many distributions have a large amount of packages in "unofficial" repositories that are not necessarily controlled by the distribution. Debian has probably the largest repository of offical packages.

The advantage of repositories is that you can install a large variety of software that you know will work with your distribution, all for free. For example, I can install OpenOffice, a pdf reader, a web browser, an ftp client, an ftp server, database servers/clients, etc, etc all from the Debian repositories. If you wanted to install all that stuff on Windows, you'd probably have to hunt down the programs, some at download.com, some at third party websites, some at collection websites/CD (TheOpenCD), etc. So linux users are a bit spoiled because we expect to be able to easily add the software we need at anytime. Not to mention that we can remove any unnecessary software with the same amount of ease.
 
Old 05-03-2006, 10:00 PM   #7
wakeboarder3780
Member
 
Registered: Mar 2006
Distribution: Ubuntu 6.10
Posts: 112

Original Poster
Rep: Reputation: 15
I figured it must have all been monitored or someone would have done something dirty by now. Thanks for telling me how it all works. Good to hear Linus isn't overloaded with it all.
 
Old 05-03-2006, 10:09 PM   #8
AwesomeMachine
Senior Member
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 2,969

Rep: Reputation: 508Reputation: 508Reputation: 508Reputation: 508Reputation: 508Reputation: 508
A repository is like:

ftp://ftp.heanet.ie/pub/debian

Only debian can upload to this mirror. There a hundreds of such repositories. Every distro has at least one.
 
Old 05-04-2006, 11:29 AM   #9
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Quote:
Originally Posted by AwesomeMachine
Every distro has at least one.
Not sure that is a completely accurate statement considering there are many specialty distros that don't have package managers such as coyote linux, IPcop, Sveasoft Alchemy (although this is technically firmware), etc.

But definitely most of the major general purpose distros have repositories. Although now that I think about it, are there slackware repositories (haven't used it lately and I feel like a long time ago it was strictly source based)...
 
Old 05-04-2006, 04:50 PM   #10
Michael_aust
Member
 
Registered: Aug 2005
Location: Lancashire (United Kingdom)
Distribution: Debian Etch, on 686 machine.
Posts: 509

Rep: Reputation: 31
as far as I know all debian developers have there own pgp keys thats are used to sign off packages that get uploaded. This makes sure that the packages uploaded can be authortenticated to see if it really came from them.

Packages in the official repitories and the popular unofficial ones I would say are safe to use. ll the big name distros have strict guide lines and code audits for packages. As long as you stay away from stans home cooked packages in a a server in bosnia you will be alright.

There is no way to be sure unless you compile everything from source and audit it your self, wether something has a backdoor in it intentionally. You just have to trust the package maintains and the coders of the applications. I would personally be more worried about propriatory software from the US cough MS products cough of have a securty back door intentiaonly put in for government spying reason or detecting pirated software etc
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Malicious Script jspsandhu Linux - General 12 09-29-2005 05:05 PM
user creation related question Menestrel Linux - Newbie 2 05-15-2004 02:44 PM
Question about pkg-config pablo131279 Linux - Software 1 10-26-2003 04:17 PM
Malicious C code protection gdboling Programming 4 09-02-2003 06:14 PM
Protecting against malicious PHP paranoid Linux - Security 0 03-14-2003 09:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration