[Slackbuilds-users] Corcern about sources' procedence

Hac Er spamered at hotmail.com
Thu Jun 9 09:19:25 UTC 2011


Hello.

I have discovered this piece of wisdom in the SlackBuilds site:

"If you don't trust us to check the scripts for malicious activity,
then please move along."

This has made me wonder how secure is in fact the SlackBuild software.
Sure, 99.9% of contributors are honorable people with pure motivations
who work to enchance the whole Slackware comunity, but Black Hats do
exist too out there.

The main reason I prefer compiling myself my software is because
unofficial binary packages can easily be troyanized or otherwise
infected by malware. By using build scrips, you can just get the source
code from the original author, then package it and install. However,
many appications cannot be obtained from the original author anymore.

Let's take Snort as an example. Snort upstream developers just provide
the latest version in their site. That means SlackBuilds.org cannot just
link to the original Snort x.y.z once Snort x.y.z+1 is released. This
forces the script mantainer (Niels Horn in this case) to make Snort
x.y.z availible from another location (www.nielshorn.net in this case)
and link to it from SlackBuild.org.

I trust SlackBuild's statement of them checking the scripts for evil
contents. In fact, many scripts are so simple that you can check them
quickly in a few minutes. However... what happens if Niels Horn is one
of those Black Hats who live in the shadows, slowly infecting computers
all around the world as part of his plan for conquering the Earth? What
is preventing him from patching the original Snort x.y.z and turning it
into a dangerous backdoor? If Snort x.y.z was in www.snort.org, you
could easily check if Niel's version is the same, but you only will be
able to check against x.y.z+1 version. You can still modify the build
script and build the last version of Snort from the authors website,
yes, but this would be no solution for Niel infecting thousands of
computers.

What procedure is taken in order to avoid this nightmare?
Because, knowing SlackBuild.org has a very good reputation and its
software works flawlessly most of the times, I asume you have some
method to prevent Niel and his friends from taking over Slackware
Universe.  

Niel, if you are reading this, sorry for being the bad guy of the
story. I needed an example, and Snort was the first that came to my
mind :-)



More information about the SlackBuilds-users mailing list