[Wylug-help] ad/spyware

Roger Leigh rleigh at whinlatter.ukfsn.org
Sat Nov 27 01:11:16 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Hodrien <johnh at comp.leeds.ac.uk> writes:

> On Mon, 22 Nov 2004, James Holden wrote:
>
>> On Mon, 2004-11-22 at 09:21, John Hodrien wrote:
>>> On Sun, 21 Nov 2004, Roger Leigh wrote:
>>>
>>>> There are no "wild" viruses for Linux, and spyware is not an issue
>>>> given that software is not ever installed without your knowledge,
>>>> providing you use common sense (use vendor packages, build from
>>>> source).
>>>
>>> Protection afforded to you by building from source?
>>
>> You can verify the authenticity of the source using the gpg signatures
>> from the authors. You can then be sure that no funny patches have been
>> added by whoever built any binary packages you might otherwise use.
>
> But that's not a benefit of building from source, that's a benefit of using
> signatures.

There's also the possibility of a trojaned toolchain on the build
system (this has been known in the past), or virus infection etc..

- From a trust point of view, there is least trust in a random third
party binary compared with the official upstream source or official
packages from your distributor.  If you download someone else's build,
always ask yourself "why can't I build it myself?".

Not installing third-party binaries is one of reasons we don't see
viruses on Linux: it's removed the principal vector for their
introduction.  Shrink-wrapped Windows software, including stuff from
Microsoft themselves, has been known to be virus-infected due to the
developers' machines being compromised.

However, trojaned sources are not unknown.  One I'm personally aware
of is the deliberate breaking of micq by its author when built on a
Debian system (for his own reasons; in this case it didn't cause
malicious damage).  This was a serious breach of trust by its author,
and it was removed from Debian as a result, and only reintroduced many
months later after every line had been reviewed by Debian developers.
This was a relatively minor hack, due to a clash of personalities
between the micq developer and the package maintainer, which prevented
it running, but there is the potential for more serious hacks.  If
it's in the source code, it's going to be blindingly obvious, though.


Regards,
Roger

- --
Roger Leigh
                Printing on GNU/Linux?  http://gimp-print.sourceforge.net/
                Debian GNU/Linux        http://www.debian.org/
                GPG Public Key: 0x25BFB848.  Please sign and encrypt your mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFBp9QyVcFcaSW/uEgRAg3eAKCIfwUvxiM0VJtUdOlZr+qd4PTRtQCfUAwj
TsrZW4DrSxaLAAdB/F9Ci6k=
=+dYU
-----END PGP SIGNATURE-----

More information about the Wylug-help mailing list