[svlug] OpenSSH source may be trojaned, unless...

J. Paul Reed preed at sigkill.com
Thu Aug 1 15:33:47 PDT 2002


On Thu, 1 Aug 2002, Bruce O. Benson wrote:

> > Let's say Sue runs Debian, but she just downloaded, built, and
> > installed the trojaned openssh.  Is she ok?
>
> "apt-get install source ssh" retrieves safe non-trojaned OpenSSH source.  So
> yes, Sue's OK.

Since when does "just downloaded" imply using apt-get?

Or are you saying that Debian restricts its users from getting the source
using ftp/wget/etc. and running "configure; make; make install" themselves?

An interesting datapoint in and of itself considering you were ranting
about people making assumptions based upon your statements.

Later,
Paul
   -----------------------------------------------------------------------
   J. Paul Reed                 preed at sigkill.com || web.sigkill.com/preed
   Wait, stop!  We can outsmart those dolphins.  Don't forget: we invented
   computers, leg warmers, bendy straws, peel-and-eat shrimp, the glory
   hole, *and* the pudding cup!  -- Homer Simpson, Tree House of Horror XI





More information about the svlug mailing list