[svlug] Suse was: Which linux distro for production ?

Rick Moen rick at linuxmafia.com
Sun Dec 19 10:20:53 PST 2004


Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):

> I think it is just marketing + their approach, not telephone bill.

That's not what _other_ European Linux users tell me, but I really have
nothing at stake in this dispute.  I'm just relating what I've heard,
and what seems logical to me.

What is also a factor is my just having given a LUG presentation (slides
at http://linuxmafia.com/presentations/[1]) about the history of malware,
describing in passing all known Linux malware packages to date,
including trojans, and attempting to put them in proper security
context.  As you'll see from the timeline, I detail trojaning incidents
at ftp,win.tue.nl (1999, affecting tcp-wrappers), monkey.org (2003,
affecting dsniff, fragrouters, and fragroute), irssi.org (2003,
affecting irssi), and kernel.bkbits.net (2003, affecting the Linux
kernel).

Let's consider the 1999 ftp.win.tue.nl site compromise, to get to my
point:  The intruders created a phony tcp-wrappers-7.6.tar.gz source
archive that was subtly trojaned, and left it there for downloaders.
The 53rd person to download it, several hours later, happened to be
Andrew Brown of Crossbar Security, Inc., who was alert enough to notice
that the package suspciously lacked Wiese Venema's PGP signature, and
raised the alarm.  The prior 52 people had to be tracked down and
notified that they'd probably shot themselves in the foot
(root-compromised their systems).  Equally disturbing, it was reported
that a number of other ftp sites posted the trojaned version:  One hopes
that each of _those_ had someone as alert as Brown was, as downloaders.

My point?  That the existence of official packages and a defined set of
official maintainers serves several important purposes:  There's a chain
of accountability, implemented in part via verifiable crypto signatures.
There is the downstream quality control and additional checking they
perform on the upstream maintainers' work.  There is the small amount of
porting typically required to make package work optimally on a given
distribution.  These are all reasons why getting source from upstream
and compiling them is usually a bad idea, unless you have a compelling
reason and are willing to assume for yourself the responsibility of
carrying out that work for yourself -- the way Andrew Brown did.

And, as a corollary to that, unofficial package repositories pose
security challenges in the same way that upstream source code on ftp
sites does, and should be approached with caution.

> Anyway for "desktop" boxes assistance is limited to installation. 

I'm astonished to hear of anything else, from distribution support
staff, really.

> Anyway could you give me a list of packages you decided to install
> from unstable? 

Pulling this from memory:  galeon, mozilla-browser, mozilla-firefox,
openoffice.org, abiword, abiword-plugins, mrproject.

> Just to have a rough idea about which packages you thought were
> worth/safe to install from sid?

Note:  I use only selected pieces from KDE and GNOME, not those whole
things.  Someone devoted to one of those "desktops" might be moved to
pull those from sid/unstable, if there happen at the time of upgrade to
be problems resulting from some pieces emerging from quarantine before
others.

[1] Apologies for the slides being too info-dense by about a factor of
three:  I'd never created slides before, and made the error of
more-or-less just pasting a lecture outline into OO.o Impress -- a dumb
error, and I'll avoid doing that in the future.

-- 
Cheers,   There are 10 types of people in this world, those who know quaternary,
Rick Moen those who only recently figured out Ron Fabre's "ternary" .sig, those
          who're completely confused, and those who hate self-referential jokes.




More information about the svlug mailing list