Backdoor Found In UnrealIRCd Source Archive 174
l_bratch writes "A malicious backdoor was added to the UnrealIRCd source archive some time around November 2009. It was not noticed for several months, so many IRC servers are likely to be compromised. A Metasploit exploit already exists."
It's nice that they're honest. (Score:5, Insightful)
Re:It's nice that they're honest. (Score:4, Insightful)
Well, unless you're Google, in which case you're raked over the coals and accused of being at the right hand of the devil himself...
Re:It's nice that they're honest. (Score:5, Funny)
It could be worse... You could be the guy at Microsoft that was ordered to write this exploit and then insert it into the codebase without getting caught.
Re: (Score:2, Funny)
Seriously, that's what you call unchecked paranoia. Nobody is ordering Microsoft grunts to sabotage open source software. They do that in their free time for fun.
Re: (Score:3, Funny)
You're in the wrong article. The one about autism is a few further down the front page. In this one, you're supposed to have a sense of humour or, if you're American, a sense of humor.
That's it, I'm headed to the autism article to make a joke. Wapner, here I come!
Re: (Score:2)
Sooo.... the devil is left handed then, since the right can do no evil?
Good to know :)
Re: (Score:2)
And if your Linux you're always the victim of unsuspecting FUD clouding everyone's judgment.
http://www.zdnet.com/blog/bott/linux-infection-proves-windows-malware-monopoly-is-over/2206?tag=mantle_skin;content [zdnet.com]
This article is hardly what I'd consider a fair call.
Re: (Score:3, Insightful)
A common way of
Re: (Score:2)
More code? Grabbing all the traffic is one:
Ok, two:
Re: (Score:2)
Unless your MS and you'll do whatever it takes to own the market...
You mean: :)
Unless your MS and youll do whatever it takes.
Or maybe:
Unless my MS what?
I'm not usually such a grammar nazi, but it's kind of unusual to see one incorrect usage, and one correct usage within 4 words of each other.
Re: (Score:1)
Well, perhaps it was an inside job...
Re: (Score:3, Insightful)
Re:It's nice that they're honest. (Score:4, Insightful)
Embarassing, in that, "Yes we screwed up, and we shouldn't have." or embarassing as in, "Oh shit, open source really isn't any better than security through obfuscation!"?
If you mean the first, I'm with you. We all screw up - and sometimes we need a reminder that we can't duck, or blame on someone else to keep us on our toes.
If you mean the second, well, I call bullshit. Several people have already pointed out that closed source shops are frequently the victims of malware. You can find a half dozen gadgets or softwares that have been SHIPPED FROM THE FACTORY with malware of some kind, just in the last year.
Personally, I really prefer the situation at Unreal. It's open source. Everyone who gives a small damn had the opportunity to check it out. Anyone could have run any number of monitoring tools on the software, and caught it doing it's thing. When it was found, the administrators made an announcement. I like honesty and open communications.
It's a helluva lot better than, for example, a closed source shop pushing an update to your telephone which opens your communications up to government monitoring. The only way THAT was discovered, was the relatively dramatic decrease in battery life immediately after the update was pushed.
To each his own though. Those who put their faith in corporate masters are welcome to buy only proprietary stuff. I'll go with open source whenever possible!!
Comment removed (Score:5, Informative)
Re: (Score:2)
When we say a "screwup" we mean that the developers screwed up by making the project vulnerable to such an attack and not detecting it sooner.
Re:It's nice that they're honest. (Score:5, Informative)
The parent post here found the key fact: If you check article, in fact it confirms the back door was NOT in the source code. Someone replaced some mirrors, and due to lack of a signature, got away with it for a long time.
This event does not repudiate the protections of having source code available to inspect, and having project governance that reviews code. It does suggest people should be careful about which mirrors they use and how signatures are checked.
Re: (Score:3, Interesting)
Embarassing (sic), in that, "Yes we screwed up, and we shouldn't have." or embarassing (sic) as in, "Oh shit, open source really isn't any better than security through obfuscation!"?
Well the old "many eyes" argument is getting embarrassing when it's obvious that all the eyes are on the front door while the window is wide open. As usual, it was not the VCS that was compromised, because many people at least casually look at commits, often it has to pass through a mailing list and often getting commit access is hard. Becoming a rouge committer is high risk/low yield, same with hacking a committer's computer. Hacking the VCS server would probably lead to the code changes showing up in diff
Re: (Score:2)
You make very valid points. But to me that means a wakeup call for open source distribution, not open source software per say. You can reasonably trust open source code to be free of this sort of stuff. If you want to make sure it doesn't get compromised on its way to you, you need a distro that does its job of making sure the software it distributes hasn't been compromised along the way. The many eyes argument holds as far as the source is concerned. I don't think a 'many eyes' argument can be made as
Re: (Score:2)
You have examples of a closed source product being shipped with a trojan binary in the official release vehicle?
Not an example of a consumer electronics device that has malware shipped on the device (which isn't a OSS vs COSS issue) but an example of a COSS vendor shipping a trojaned binary on the official release site?
Re: (Score:2)
Wargasm comes to mind (on install media). IIRC, that was around the same time as the Myth II installer debacle.
Korean MSDN was shipping malware too
Re: (Score:2)
Embarassing, in that, "Yes we screwed up, and we shouldn't have." or embarassing as in, "Oh shit, open source really isn't any better than security through obfuscation!"?
Actually, it doesn't even mean that. Not in the least. This is about poor developers and a woefully obviously broken development process and broken developers.
For this to be allowed to happen means no one is monitoring what is committed to the repository, let alone what is merged into production releases. This basically means those in charge of the development process are idiots. Did I mention they are absolute fucking idiots? This is the expected result be it open source or commercial software. Period. The
Re: (Score:2)
Personally, I really prefer the situation at Unreal. It's open source. Everyone who gives a small damn had the opportunity to check it out. Anyone could have run any number of monitoring tools on the software, and caught it doing it's thing.
But nobody did; that's the problem. It's all nice that you can check it; but if you are in a situation where most people prefer to choose to believe/hope/pray that someone else will, well, then, the advantage of being able to view the source isn't really an advantage if no-one utilizes said advantage.
And if you really want to encourage the ordinary non-technical user to adopt Linux, then you have to be aware of that. Even plenty of highly technical users will not check the code, for the simple reason it's n
Re: (Score:2, Informative)
Re: (Score:2)
Yeah, because I get my proprietary applications from tarballs hosted on mirror servers.
Er, wait....
No, this wasn't an attack based on access to the source, but it was an attack that took advantage of the nature of open source software community. The lesson here is that open source advocates need to get off their high horses and accept that vulnerabilities happen, even to open source projects.
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Who's been claiming that things like this couldn't happen?
This is the reason that both deb's and rpm's went to signing all packages, and the reason that best practice requires that signatures not be hosted on the same server as the binaries. (OTOH, I've got to admit that these "best practices" aren't always followed. And I'm currently trusting a package from one site that doesn't sign it's debs with a signature I'm willing to trust. But if I were conscientious I wouldn't use that package.)
So, yeah, this
Re: (Score:2, Interesting)
It's still an embarrassment for open source though.
Talk about generalisation. One project getting rooted isn't representative to the rest of them in any way. Also, FTFA:
CVS is also not affected.
This was a case of distribution packages on their mirror site being replaced with malicious version, not a breakage of the development process. It's also something that happens all the time with closed source SW too, which is why you don't want to download installers from suspicious sites.
Re: (Score:2)
The problem is for "everyone can see the source" to work you need to have a guarantee that they are all looking at the same code. In this case I guess all the developers where looking at their CVS trees, while average Joe was just downloading and compiling the backdoored tarball. To stop this kind of problem from happening you would need to secure the source code via GPG signatures and make sure that users actually check those signatures. The first thing is what they are now doing and what many other projec
Re: (Score:2)
Why isn't average Joe installing the IRC server from his distro, after being checked by the maintainer and signed to prevent tampering?
Re: (Score:3, Insightful)
The GPG check can also fail if they just get you to add their private key into you list of trusted keys. This is a point that has occasionally bothered me. There doesn't seem to be any decent way to authenticate that the key you're being asked to add is one that should be trusted. Web of trust was a decent approach, but it didn't scale. It demanded personal meetings and the new person being vouched for by the old one. When it got expanded onto the web, the process got broken.
Someone needs to start thin
Re: (Score:2)
Someone needs to start thinking seriously about this.
The best approach so far is the SSH one, give a short warning when connecting to a new host, but let the user connect, but give a big fat warning when the host key changes later on.
The important part when it comes to signing of downloads isn't that you can guarantee that it comes from a trusted good source, but simply that it comes from the same source as the last few downloads.
Re: (Score:2)
Whats to stop them from inserting malicious code, compiling and packaging it up and seeding it to anyone that `aptitude install`s it?
In a perfect world the key would need to have some minimum level of trust assigned to it to let it pass through automatic verification. And trust would be gained by both time and other people. Somebody who has registered a month ago on launchpad and was active over all that time is more trustworthy then somebody who created his account yesterday. Also people in the open source world could give trust to each other (i.e. when you want to upload something to Debian, you do it first via a mentor, not by yoursel
Re: (Score:2)
but it's also sad that they are not vigilant. the backdoor is a lame backdoor that a middle school kid could pull off. how no one noticed is unbelievable for so long!
gemster@hidden:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h
#define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x)
#define DEBUG3_DOLOG_SYSTEM(x) system(x)
gemster@hidden:~/Unreal3.2$
freaking (system)
it wasn't even something creative hidden with a race condition or buffer overflow, I hate to trust that ircd server, until the entire source is a
Re:It's nice that they're honest. (Score:4, Informative)
Closed source software has similar problems with disgruntled employees. Only difference is that the company when finding the backdoor quietly fixes it and gags anyone from going to the media about it.
Re: (Score:2)
I've heard that assertion before, but I've never seen any evidence to back it up. (Well, not strictly true. Back around 1998 I think I did see some evidence, but I couldn't check it's honesty.)
If I were to assert that all proprietary software were an incredible garbage pit of sloppy hacks and unchecked array references you couldn't prove me wrong. But there's good evidence that that describes much proprietary software. (And I left out copyright infringement.)
Now I think my proposed assertion is wrong, b
Re: (Score:2, Interesting)
Yes, because a single trojan in a server that:
1) no one uses (not a single user checked the hash of the download over seven months),
2) is not in the repos of most distros,
3) was not included in the Debain repos, despite there being a willing maintainer, because of poor code quality- see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515130 [debian.org]
completely refutes all the different arguments in favour of open source (many eyeballs, multiple vendors to provide free market competition, no lock in, etc).
We all know
Re: (Score:2, Insightful)
Yes, because a single trojan in a server that:
1) no one uses (not a single user checked the hash of the download over seven months),
The hashes most probably _where_ checked by peopel, however they've been changed to reflect the backdoored .tar.gz on the website.
This is from the horses mouth a.k.a. Syzop:
[12:30:04] well the main site got hacked huh, so the md5sum on the website was reflecting the trojanized version
[12:30:18] but nobody checked the md5sum against the one mentioned in the announcement
Re:It's nice that they're honest. (Score:5, Insightful)
3) was not included in the Debain repos, despite there being a willing maintainer, because of poor code quality- see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515130 [debian.org]
The lack or presence of a software in Debian does not mean anything about its quality.
Unfortunately there are are people, among the Debian devel, who are more political assholes than proper developers.
An example of utter garbage present in Debian is pdns [debian.org] (the software itself collapses after running for few hours, even minutes, depending on your load). Yet, each new Debian release contains a new version of that software. -- And that's not the only case.
Re: (Score:2)
Although it only serves two PCs, my pdns installation has about one month of uptime right now and has never "collapsed".
Also, I don't see your bug report, have you filed one? Or are you expecting the maintainers to magically find about it and fix it?
I'm not saying it's perfect (it never is), but from what I can tell is very rare to find out such problems.
Re: (Score:2)
FWIW, I've run into problems trying to file bug reports. It's generally been harder to file the reports than to deal with the problem.
Now in this particular case the complaining party apparently could identify the bug down to "which package is causing the problem", but I usually can't. My system will have been working fine, until suddenly it isn't. Then the system asks me to file a bug report on some package, and I've no idea why the system suddenly failed. I wasn't, as far as I knew, doing anything unu
Re: (Score:2)
It's not just a browser, it's a browser + Slashdot. Never any other site.
And never when I'm not on the web, compiling, editing, etc. So I don't think it's RAM. I suppose there might be some communications thing that Slashdot exercises, and other things don't, but RAM doesn't sound reasonable.
Re: (Score:2)
Logic fail, does not follow. Just because the hash has not been checked (which it might have been as the attacker could have replaced the hash on the server as well as the code), it does not follow that no one uses or no one has downloaded the code. The "many eyes" claim results in a false sense of security.
Windows safer than linux (Score:1, Funny)
From TFA "The Windows (SSL and non-ssl) versions are NOT affected."
Cool, you dont get to see this too often when windows version is safer than a linux one!
Re: (Score:3, Insightful)
Re:Gentoo (Linux) not affected (Score:2, Informative)
Cool, you dont get to see this too often when windows version is safer than a linux one!
Hehe..
It also depends on the distributions. Gentoo Linux, for example, was not affected because the package maintainers at Gentoo digitally sign the source tarballs. In this case, the digest created by the Gentoo developer corresponds to the uninfected version. So, any Gentoo user trying to install UnrealIRCd from a infected mirror, would have a digest mismatch and the package manager would just refuse to install.
See https://bugs.gentoo.org/show_bug.cgi?id=323691 [gentoo.org]
Of course it things could still go wrong if t
Re: (Score:2, Informative)
You're wrong, read comment #8. The ebuild manifest was created using the infected version. Package maintainers are suppose to verify the source tarballs before making an ebuild which creates RIPEMD-160, SHA-1 and SHA-256 checksums. Gentoo wasn't any safer in this instance due to maintainer failure.
Only some versions affected (Score:2, Informative)
Slightly misleading summary. Only some versions on the mirrors were affected.
From the UnreadIRCd forums:
The Windows (SSL and non-ssl) versions are NOT affected.
CVS is also not affected.
3.2.8 and any earlier versions are not affected.
Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check.
The remediation advice is wrong (Score:2, Insightful)
FTA, "Obviously, you only need to do this if you checked you are indeed running the backdoored version, as mentioned above."
A skilled attacker will have replaced md5sum so that it returns the hash that corresponds to the good version, and in general installed a rootkit. The remediation advice they provide is broken.
If you have installed the affected software, you should probably assume you are owned, regardless of what any local tests tell you.
Re: (Score:3, Insightful)
If you're running an ircd as root you deserve whatever you get.
Re:The remediation advice is wrong (Score:4, Insightful)
Yes, of course. Because its not even conceivable that the intruder has any local exploits.
Re:The remediation advice is wrong (Score:5, Funny)
May I remind you that the Windows binaries are unaffected?
Re: (Score:2)
Correct answer is to make a service account, should also not run it as your user account. Otherwise they can add something to your path in your .bashrc and put their md5sum there.
Also a service like ircd is pretty simplistic on what capabilities it needs, so it should have an apparmor or selinux profile. That should prevent practically any possibility of local elevation.
Re: (Score:2)
If you installed your ircd without doing anything that requires root, you're using an unusual install approach (it's totally possible, of course, just unusual). There's no need for the exploit to occur when you run the program; put the exploit payload in the installer and you get far higher permissions for it to play with.
Re: (Score:2)
Re: (Score:2)
--prefix=/opt/ircd is such an unusual approach? (assuming your user can write there, put it wherever else, even under ~/)
Re: (Score:2)
Linux users, on average, are more savvy than Windows or Mac users... but a lot of them still tend to install things using their package manager or, lacking that as an option, via ./configure && make && sudo make install (or possibly putting each on its own line). Even standard configure arguments, like --prefix, are relatively unknown to your average Ubuntu or user. Besides, to most of the computer-using world (and remember that most Linux users didn't grow up with it, they came from Window
Re: (Score:2)
Installing from the repositories (at least in APT) never runs the original installer. The package manager (dpkg) reads the debian control files for the list of files to be installed and copies them itself. It can also run the post-inst scripts, but those are written by the maintainer, not the upstream devs (therefore, not the infected code).
Re: (Score:1)
Re: (Score:1)
Yeah, LiveCD is an option if you have it.
Re: (Score:2)
Well the truly paranoid but still polite person will download the software from the mirror and the check hashes. (S)He would then also download the hashes from the projects main site. First the hashes would be checked to make sure they match and then then if they do you validate the package hashes to that same value.
Bandwidth has gotten cheap enough these days that most projects can afford to transfer at least the checksums to end users.
Re: (Score:2)
A skilled attacker will have replaced md5sum so that it returns the hash that corresponds to the good version, and in general installed a rootkit. The remediation advice they provide is broken.
That requires root access (unless your path is wonky or screwed with). One additional thing you can check is put a known good copy of a statically linked md5sum in your home directory and run that. That should protect you from all user-mode rootkits (even with root access). Kernel-mode rootkits are always a possibility to screw you though.
Backdoor allows user to execute ANY command (Score:3, Funny)
Re: (Score:2)
I migrated from Unreal to Inspircd about a year ago (phew), and it was a problem. I had (until then) assumed that the IRC linking protocol was a common protocol (like SMTP or XMPP). Oh no.
So, to all the IRC software people - get together, and standardise on a single format. You can have an "extensions" section in the protocol for your specific additions, but make it a general, federated protocol
Re: (Score:2)
What does IRC offer that isn't in something newer, like XMPP?
Well yes... (Score:5, Insightful)
First, as others have said, the Unreal guys handled this intelligently and properly, so bravo for that.
Secondly, no offense to them, but the Unreal guys wouldn't have had this issue if they regularly verified mirrors. The Unreal guys have been less active in the past few years though, and their software is primarily used by many smaller networks, often with less experience as the IRCd is a bit slow and the codebase is long in the teeth (they're looking to replace this). Something like this was really bound to happen for their team. That said, still good work.
Thirdly, this is why IRC is never ran on its official low numbered port, but on 6667 - there is NO REASON to run IRCd as root - I don't care how safe you think the code is - it's too huge of a target.
So hopefully, anyone sane shouldn't have had more than a sandbox compromised, the patch the Unreal guys released will fix this, and we can all get on with stuff.
Just a few thoughts, oh, and IAAI and IAAIP (I am an IRCop and I am an IRCd Programmer).
Re: (Score:2)
hirdly, this is why IRC is never ran on its official low numbered port, but on 6667 - there is NO REASON to run IRCd as root - I don't care how safe you think the code is - it's too huge of a target.
I am looking at it the other way around. There is not really any reasons now to require root access in order to listen on ports below 1024.
It made a lot of sense during the 70's and 80's, that you could basically trust individual computers and that some untrusted user would not set up a service that looked official and legitimate. But the time has changed and we have things like cryptographic software that take much of that away.
Actually almost every service that listens on ports below 1024 could run withou
Re: (Score:2)
Re: (Score:2, Informative)
Also of interest: Linux's CAP_NET_BIND_SERVICE capabilities flag [kernel.org], which would allow giving a process the ability to attach to lower-than-1024 ports without giving it full root.
Re: (Score:2)
You're not forced to run those services as root. You can have something open the port then drop root privileges.
From an exploit standpoint, once its running as root, even for "just a little bit", you're vulnerable.
Or you can set up firewall rules or a proxy of some sort to forward everything from the lower-numbered port onto a higher port, and not need the server software to ever be root at all.
This is a bit better, assuming you can trust your proxy :)
Re: (Score:3, Insightful)
It's there for a reason.
If a server is compromised, the "normal" ports cannot be set up as listeners without also escalating your breakin.
Re:Well yes... (Score:4, Insightful)
I am looking at it the other way around. There is not really any reasons now to require root access in order to listen on ports below 1024.
Amen. I'm glad I'm not the only one. In this day and age, where anyone can run a Unix box, the whole "root under 1024" thing is redundant. http://calum.org/posts/root-to-bind-to-ports-under-1024 [calum.org].
Make it a damn kernel config option at the very least, and let me decide.
Well (Score:2)
Yet another reason to digitally sign your packages. That way, even if your server is hacked, people will know it didn't come from the authors of the software.
See gnupg.org
Re: (Score:2)
You can add a small layer of security (easily bypassed if the attacker knows where to look, but still...) by placing the hash and/or signature verification in your installer. Add something to the config scripts, or possibly to your makefile. If you offer pre-built packages, it's even easier.
Re: (Score:2)
Sounds to me like you are suggesting security through obscurity. Isn't that something that gets soundly derided here on slashdot when used in proprietary code? Why, yes, yes it is.
Re: (Score:2)
What I'm suggesting is part of a defense in depth. You can't rely on security through obscurity, but obscurity can provide some assistance. The concept that security through obscurity is fundamentally flawed comes from encryption/hash algorithms, which are so complex that attempting to cook your own in secret is likely to result in something that is actually easier to crack - even though you either must first reverse-engineer how it works or just use brute force - than a published and thoroughly reviewed, t
Re: (Score:3, Insightful)
the more efficient way is to sign the hash.
Digital signatures actually ARE signed hashes. So I'm not sure what you're trying to invent there (and how it would be more efficient).
Re: (Score:3, Insightful)
If you want to use a hash alone, you only check integrity, but not authenticity. The attacker may alter the hashes published on your server and you won't detect that.
And again, if you meant signed hashes, then that is exactly what digital signatures are. Signed hashes of the files. The recipient hashes the file, compares the hashes, and verifies the signature of the hash. That's how digital signing works, my friend.
Your posts contain no suggestions for improvement, but they may even weaken your security.
Re: (Score:3, Informative)
I KNOW.
Please read what I wrote.
Hash a large file. Time is spent. Cryptographically sign a file, more time is spent.
Instead, you sign the hash, and spend -less- time computing the signature. If the signature is true, then the hash is true, and by extension the large file is true.
Re: (Score:2)
Actually, if 1% at random check, then after 100 downloads, you've still got a 37% chance that nobody has checked. .99^100 = .36603
With greater source code freedom... (Score:2)
... comes greater responsibility and watching.
I hope they learnt their lesson. And other open source code maintainers, before it happens them.
This indeed happened to only the mirrors, but was pulled off by exploting the fact that the source code was open.
It's very important to keep these things under check because it's pretty much the #1 vulneraibility to this development model.
Re: (Score:2)
Re:Remember, kids! (Score:5, Informative)
Actually, the hash was not modified from when they posted the true source. Anybody who would have checked it would have recognized that something was wrong.
Re: (Score:1)
Haha, nobody ever checks hashcodes. It's only a matter of time before like 10 million users install something and NONE of them checked the hash code !
Re: (Score:3, Informative)
That's why it's important to have GPG signed packages from your distribution. It's a shame Unreal isn't available through Debian.
Re: (Score:2)
I always check has codes. Not that they aren't relatively easily worked around, considering most developers are still using MD5.
Re: (Score:2)
I once downloaded an open source project, checked the hash and found it was bad. Wrote the admin about it and NEVER got a response. Anybody else seen this or had a hash not check out? I can't remember what it was.
Re: (Score:2)
From the post in the forum, it seems that only the source tgz in the mirrors was affected. So, anyone who checked the MD5 agains the official (non-mirrored) tgz would realize the difference.
Apparently, no one bothered to check for a long time, though.
Re: (Score:2)
Apparently, no one bothered to check for a long time, though.
Or perhaps the people that did check just assumed that the genuine uploaders forgot to include/update the hashes so that the difference was due to the hash being for the previous (or earlier) version. Though in that case you'd expect the sort of person who would check official hashes would be the sort who would report the discrepancy upstream (or at least ask about it on an official forum).
Re: (Score:2)
From the post in the forum, it seems that only the source tgz in the mirrors was affected.
Fair enough, the site was /.ed when I looked so I wasn't able to glean that information
Re: (Score:2)
This is one of the reasons I do not 100% trust a package manager. Sure, it is more secure than downloading from a random site, but there is very little stopping an upstream security issue (or even malicious author) from making it into the mirrors, and I don't trust that all distro developers are checking that the hashes match either.
Re:Open source (Score:4, Insightful)
How is it a weakness? It's a weakness of the admin, but being open source didn't somehow make it easier to get malicious code into the source. People could just as easily hijack a binary file (and there's a good chance it would go unnoticed for a longer time).
Re: (Score:2, Insightful)
I'm implying that anyone who manages to get commit rights, or even a contributor who's good as obfuscating code, could implant a backdoor into a project. Remember the Debian SSL fiasco? Well, that sort of thing could happen maliciously. In a closed source development environment it's harder (note, I didn't say impossible) to get this sort of thing in, as the effort and/or expense required to inject a mole into the developer circle is higher and the personnel are typically more carefully vetted.
However, the
Re: (Score:2)
This wasn't commit rights.
This was attacking the mirrors.
You can do the same exact thing to closed source software, by infecting the binary with a malware installer.
many eyeballs Mirkwood forest (Score:2)
There's really no technical excuse for not catching a deviation between a release point in a VCS system and the associated tarball, assuming the VCS hasn't also been compromised.
Given this statement, the sensible eyeballs are validating the source as it exists in the VCS, and the sensible admins are checking the correspondence of the tarballs downloaded against the associated VCS checkout checksum. I'm not saying this is the procedure most sites us, just that there's no conceptual obstacle to making this h
Re:Open source (Score:5, Informative)
Re: (Score:2)
Yes, because this could have happened to closed-source software and no one would have known and it would never have been found.
Oh wait, we know that to be false.
This happened specifically because UnrealIRC is open source. And, let us not forget that many flossies love to talk about how such things as this can't happen because so many people are looking at the source code.
Re: (Score:2)
Re: (Score:2)
Yes, it only took a YEAR for it to be found.
You forgot that the person also has to have the time and resources, which most normal people don't have. The SAs and programmers where I work don't have the time to download and review the source of every bit of free software used in the company. And, I could do it for my personal systems, but I don't know C, C++, Python, and every other programming language used for th
Re: (Score:2)
Excuse me HALF A YEAR.
Re: (Score:3)
When did Debian and it's Free Software Guidelines become the required standard for open source. Oh, wait, it didn't.
Not every distribution uses apt, so not being in apt is not being less than open. Quite the reverse is true. By limiting themselves to apt, they are being less open.
So, what you are implying is that a standardized software packaging system, the creation of which flossies have fought tooth and nail because it would make things less free, is the way to go, but only if it is the system you prefer