LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   question about malicious pkg creation (https://www.linuxquestions.org/questions/linux-newbie-8/question-about-malicious-pkg-creation-441334/)

wakeboarder3780 05-03-2006 03:07 PM
question about malicious pkg creation
 
I just have a general question about packages. Not that I don't trust the people that write the code for linux out there, I'm sure there are a lot of awesome programmers behind the movement or it wouldn't be where it is today. But banking on the idea that there are always few bad apples that ruin the bunch, what assurances do we have that some program, or pkg X we install doesn't have a security back door written into it, or <insert some malicious idea here> ? Not trying to make anyone angry but I'm just curious how it all works.

pljvaldez 05-03-2006 03:15 PM
I don't know about other distros, but I know Debian has a pretty thorough review and high standards for any packages that are included in the repositories (for stable and testing at least, not sure about unstable). One of the things about open source software is that you typically have a lot of eyes parsing through the code. I guess it might be possible for a large scale conspiracy, but I'd think it was generally uncommon, IMHO.

wakeboarder3780 05-03-2006 03:18 PM
So code review is distro-specific? I was under the impression poor Linus had to review everything. I was thinking to myself, man it's a wonder that poor guy gets anything done at all! ;)

pljvaldez 05-03-2006 03:21 PM
Well, code for the kernel is done mostly by members of kernel.org. I think Linus has several deputies who have authority to add code to the official tree and review it. He of course has final say.

But all other packages are handled on a repository specific review. Things that are good enough (i.e. slightly buggy) might be good enough for Ubuntu, but on Debian, they may fail to compile on one of the 11 architectures supported, so it doesn't get into the stable repos. Only things that have been deemed bug free and compile/run properly on all the Debian supported architectures are in the stable repositories.

wakeboarder3780 05-03-2006 03:28 PM
normally i would be embarassed to ask, but it IS the newbie sections so, what is a respository? Just a distro's dumping grounds for all the pkgs?

pljvaldez 05-03-2006 03:37 PM
Yeah basically.

Repositories are just a collection of software. Many distributions have a large amount of packages in "unofficial" repositories that are not necessarily controlled by the distribution. Debian has probably the largest repository of offical packages.

The advantage of repositories is that you can install a large variety of software that you know will work with your distribution, all for free. For example, I can install OpenOffice, a pdf reader, a web browser, an ftp client, an ftp server, database servers/clients, etc, etc all from the Debian repositories. If you wanted to install all that stuff on Windows, you'd probably have to hunt down the programs, some at download.com, some at third party websites, some at collection websites/CD (TheOpenCD), etc. So linux users are a bit spoiled because we expect to be able to easily add the software we need at anytime. Not to mention that we can remove any unnecessary software with the same amount of ease.

wakeboarder3780 05-03-2006 10:00 PM
I figured it must have all been monitored or someone would have done something dirty by now. Thanks for telling me how it all works. Good to hear Linus isn't overloaded with it all. ;)

AwesomeMachine 05-03-2006 10:09 PM
A repository is like:

ftp://ftp.heanet.ie/pub/debian

Only debian can upload to this mirror. There a hundreds of such repositories. Every distro has at least one.

pljvaldez 05-04-2006 11:29 AM
Quote:
Originally Posted by AwesomeMachine
Every distro has at least one.
Not sure that is a completely accurate statement considering there are many specialty distros that don't have package managers such as coyote linux, IPcop, Sveasoft Alchemy (although this is technically firmware), etc.

But definitely most of the major general purpose distros have repositories. Although now that I think about it, are there slackware repositories (haven't used it lately and I feel like a long time ago it was strictly source based)...

Michael_aust 05-04-2006 04:50 PM
as far as I know all debian developers have there own pgp keys thats are used to sign off packages that get uploaded. This makes sure that the packages uploaded can be authortenticated to see if it really came from them.

Packages in the official repitories and the popular unofficial ones I would say are safe to use. ll the big name distros have strict guide lines and code audits for packages. As long as you stay away from stans home cooked packages in a a server in bosnia you will be alright.

There is no way to be sure unless you compile everything from source and audit it your self, wether something has a backdoor in it intentionally. You just have to trust the package maintains and the coders of the applications. I would personally be more worried about propriatory software from the US cough MS products cough of have a securty back door intentiaonly put in for government spying reason or detecting pirated software etc


All times are GMT -5. The time now is 12:17 PM.