[Slackbuilds-users] Corcern about sources' procedence

Ben Mendis dragonwisard at gmail.com
Thu Jun 9 12:20:43 UTC 2011


I'm sorry, but this is really nothing new.

More wisdom from the ancients: http://cm.bell-labs.com/who/ken/trust.html


On Thu, Jun 9, 2011 at 5:19 AM, Hac Er <spamered at hotmail.com> wrote:

> Hello.
>
> I have discovered this piece of wisdom in the SlackBuilds site:
>
> "If you don't trust us to check the scripts for malicious activity,
> then please move along."
>
> This has made me wonder how secure is in fact the SlackBuild software.
> Sure, 99.9% of contributors are honorable people with pure motivations
> who work to enchance the whole Slackware comunity, but Black Hats do
> exist too out there.
>
> The main reason I prefer compiling myself my software is because
> unofficial binary packages can easily be troyanized or otherwise
> infected by malware. By using build scrips, you can just get the source
> code from the original author, then package it and install. However,
> many appications cannot be obtained from the original author anymore.
>
> Let's take Snort as an example. Snort upstream developers just provide
> the latest version in their site. That means SlackBuilds.org cannot just
> link to the original Snort x.y.z once Snort x.y.z+1 is released. This
> forces the script mantainer (Niels Horn in this case) to make Snort
> x.y.z availible from another location (www.nielshorn.net in this case)
> and link to it from SlackBuild.org.
>
> I trust SlackBuild's statement of them checking the scripts for evil
> contents. In fact, many scripts are so simple that you can check them
> quickly in a few minutes. However... what happens if Niels Horn is one
> of those Black Hats who live in the shadows, slowly infecting computers
> all around the world as part of his plan for conquering the Earth? What
> is preventing him from patching the original Snort x.y.z and turning it
> into a dangerous backdoor? If Snort x.y.z was in www.snort.org, you
> could easily check if Niel's version is the same, but you only will be
> able to check against x.y.z+1 version. You can still modify the build
> script and build the last version of Snort from the authors website,
> yes, but this would be no solution for Niel infecting thousands of
> computers.
>
> What procedure is taken in order to avoid this nightmare?
> Because, knowing SlackBuild.org has a very good reputation and its
> software works flawlessly most of the times, I asume you have some
> method to prevent Niel and his friends from taking over Slackware
> Universe.
>
> Niel, if you are reading this, sorry for being the bad guy of the
> story. I needed an example, and Snort was the first that came to my
> mind :-)
>
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - http://slackbuilds.org/faq/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20110609/631d4929/attachment.html>


More information about the SlackBuilds-users mailing list