[Slackbuilds-users] Corcern about sources' procedence
Hac Er
spamered at hotmail.com
Thu Jun 9 11:45:11 UTC 2011
On Thu, 9 Jun 2011 16:36:00 +0700
Willy Sudiarto Raharjo <willysr at gmail.com> wrote:
> That's why in SBo, they never give any source in the repository
> you have to download the source by yourself
>
> if you don't believe the script, you can check whether it tries to
> patch or do something malicious and you can always edit the script
> according to your senses.
>
> In most cases, the script can be used to compile x.y+1, x.y+2, or
> even more you only need to edit the VERSION line
>
I get your point. Anyways, even being true that you can track the source
by yourself, or modifiy the SlackBuild if necessary, the backgroud
question remains unanswered.
SlackBuilds.org does not host the sources itself, but provides links
to them. I wouldn't trust some of these links if I were given no
guarantee they are trustworthy. That's exactly what I am asking: How do
SBo administrators ensure they are linking to the right sources?
This is a non-trivial question. Experience shows that many sites who
trust their uploaders to play fair end up hosting some percentage of
malware. I myself use to track the original code to build my packages,
but look at this:
http://slackbuilds.org/repository/13.37/multimedia/HandBrake/
****TRACKING DOWN THIS THING IS HELL!!!******
It is understandable that many will just say "What the hell, I'm not
going to spend the whole week checking this packages one by one". They
will follow the links provided by SBo. If the mantainer (klaatu in
this case) was not as honorable as we might think, he could post a
link to a troyaniced "libass" (for example).
Paranoid? Sure. But the fact is that the link that SBo provides for
libass is:
http://libass.googlecode.com/files/libass-0.9.9.tar.bz2
when the libass needed by the upstream HandBrake is here:
http://download.m0k.org/handbrake/contrib/libass-0.9.9.tar.bz2 (I
obtained this link from the source code itself).
I have tested both of them by various checksums (it is good to use more
than one. MD5 is good for error detection, but is vulnerable when used
for security purposes). It seems klatuu is a man of honor after all.
Anyway, if he was not, and no one checked if libass is clean, klatuu
would own many computers he has not bought, if you get my point.
The question remains: How do administrators decide if the links they
post are trustworthy?
More information about the SlackBuilds-users
mailing list