[svlug] OpenSSH source may be trojaned, unless...

Bruce O. Benson benson at tux.org
Thu Aug 1 16:47:05 PDT 2002

On Thu, 1 Aug 2002, J. Paul Reed wrote:
> On Thu, 1 Aug 2002, Bruce O. Benson wrote:
> > "apt-get install source ssh"

Doh.  That's "apt-get source" not "apt-get install source"

> Since when does "just downloaded" imply using apt-get?
> Or are you saying that Debian restricts its users from getting the source
> using ftp/wget/etc. and running "configure; make; make install" themselves?

Well, let's use a more useful example.  Suppose Sue wants to play with
sslwrap source code.

I'll be very assumptive here once again, and say Sue performs an

"apt-get source sslwrap"

...without caring where the main sslwrap developer/download site is.
Automatically, Sue gets all of the original upstream tarball, the Debian
package managers diffs, and the untarred source, which are made immediately
available in /usr/src.

Now suppose she wants to make sure that the build dependencies it needs
are installed as well.  So Sue runs

"apt-get build-dep sslwrap"

...and sure enough, libssl-dev is needed, and immediately downloaded, and
installed.  Where is libssl developed anyway?  Or to put it assumptively, Sue
just doesn't give a toss where it gets made, because someone else packaged it
up and made it command-line-accessible.  All this for the same price as
Microsoft Windows Update.

Now "make all" performs something really useful for Sue.

So I completely concede what I believe to be your point:  It is very
assumptive of me to assert (given Sue runs Debian), that Sue would not
rather hop around the net, get all the tarballs and their dependencies, from
all the individual sites, then untar them manually somewhere and attempt
to compile.

She is, however, entirely free to do so.

Bruce O. Benson, Co-Chair,
NovaLUG Security SIG.
mailto:benson at tux.org  |  http://novalug.tux.org

More information about the svlug mailing list