I am wondering exactly how safe are the Arch, Ubuntu, Mint and Manjaro repositories. What testing is done to ensure that a trusted user does not place a virus in a package, and how often?
-
2this is distro-related, so you should ask in the forum of each of them – The Illusive Man Jul 05 '16 at 18:18
-
6Linux mint ISO repository was powned this year: http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website-and-forum-after-hack-attack/ The attacker substituted a fake ISO so this is not exactly at depo side but maybe this information can interest you – Sibwara Jul 05 '16 at 18:39
-
very unlikely, there is a large amount of peer review in linux distros – noɥʇʎԀʎzɐɹƆ Jul 05 '16 at 18:45
-
@JamesLu how does the peer review work when checking complied binaries do people compile then compare sums or something? – user Jul 05 '16 at 18:53
-
@user people independently compile binaries and then do a checksum with the other user's binary – noɥʇʎԀʎzɐɹƆ Jul 05 '16 at 18:56
-
malware does not have to be a virus, there is stuff like unity-lens in Ubuntu (removed in later editions) – prusswan Jul 05 '16 at 19:32
-
Welcome to the world of Open Source. Many contributors + some/minimal testing = potential. – HashHazard Jul 05 '16 at 19:38
-
@drewbenn I'm just saying it's definitely possible – noɥʇʎԀʎzɐɹƆ Jul 05 '16 at 20:15
-
8Don't most major distributions package systemd these days? – R.. GitHub STOP HELPING ICE Jul 05 '16 at 20:36
-
5You ask one question in the title, and then two other entirely different questions in the body. Don't do that. That's misleading. The title should match the body of your question. Also, we want you to ask only one question per question; this site doesn't work as well if you ask multiple questions. As it stands, this question is too broad ot be a good fit here. I suggest you edit your question to narrow it down to ask only *one* question. You can post the other questions elsewhere. – D.W. Jul 06 '16 at 00:38
-
1Somewhat related: there was [an unsuccessful attempt](https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/) to add a backdoor to the Linux kernel in 2003. Interesting read. – marcelm Jul 06 '16 at 10:14
-
@D.W. Is it better now? – user Jul 06 '16 at 17:11
-
Packages are signed to ensure that an attacker cannot modify repository data. However, since your question explicitly focuses on handling *"trusted users"* submissions, then the process is heavily distro specific. – WhiteWinterWolf Jul 10 '16 at 09:15
-
similar questions: my question, posted yesterday: https://security.stackexchange.com/q/238261 . a question to which i answered today: https://security.stackexchange.com/a/238293 . that my answer also answers this question. seems there are also other questions, (i see them in "related" block), when i check, i will link, in sha'a llah (if god wills). – qdinar Sep 14 '20 at 15:49
-
what do you mean by "trusted user"? see my comment https://security.stackexchange.com/questions/129243/has-malware-ever-been-found-in-a-package-from-a-large-linux-distribution-and-wha#comment488038_129248 , do i understand correctly? if yes, then somebody (also me) may edit this question. – qdinar Sep 14 '20 at 15:58
1 Answers
Linux Mint was compromised and a backdoored ISO was deployed, Ubuntu was compromised, the entire Linux Kernel was compromised before, as were others (Debian, FreeBSD, etc). Developers protect code through checks and balances in what code is accepted into the mainline source code repository, and checksums. The issues revolve around whether or not an attacker can modify checksums without detection. Most, if not all, developers are quick to detect changes and address them accordingly.
One of the issues surrounding "how did the hackers get in" revolved around an attacker targeting a developer, then using that developer's credentials to make changes. That was addressed using two factor authentication (2FA). Which makes it more difficult than a typical attack (exploits, social engineering, brute forcing).
Each distribution is likely to have their own checks and balances in place, but it usually boils down to audits, checksums, and anomaly detection.
-
24Your links about Ubuntu and the Linux kernel are misleading - one was the Ubunu community servers, and it sounds like they became part of a botnet, and the Linux kernel.org was totally unrelated to the kernel source code. The only legitimate one in your list is is Mint, which was was done by redirecting the download link presented by the front-end, rather than by injecting malware into the legitimate source. – Mark Henderson Jul 05 '16 at 21:47
-
@MarkHenderson I beg to differ (Kernel.org) and it all boils down to who you ask. (See notes on thread not that Reddit is a defacto must read https://www.reddit.com/r/archlinux/comments/k0oot/kernelorg_archs_main_mirror_compromised_is_there/). I didn't post about Debian (http://www.linuxinsider.com/story/32240.html), nor did I link RedHat which had code repos compromised (http://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) I didn't feel like doing the obvious (Googling) and typed based on recollection – munkeyoto Jul 05 '16 at 22:01
-
6Doesn't this question ask about package repositories, not the core operating system? – Sam Weaver Jul 06 '16 at 01:55
-
2@SamWeaver Yeah, but if your OS is bonked then your repos don't matter. – wchargin Jul 06 '16 at 05:01
-
this answer missed the point "a trusted user does not place a virus in a package". by "trusted user" he means package maintainers who use repository and probably also the heads of repository/distro who keep and use repo's private key, and also repo and build server admins. that 2-3 people can organise in a group and put a malware in package, and they are trusted people, trusted by distro users... – qdinar Sep 14 '20 at 15:56