Alexander, I'll post a link to your response wherever I can. Awesome explanation. Cheers, Eu. El 06/08/2014 15:44, "Alexander Rødseth" <[email protected]> escribió:
> Hi, > > > When people install popular packages from AUR, I think the chances are > low that there is anything malicious there, because of the number of > people that will have read the PKGBUILD. > > Of course, if upstream includes something malicious deep into the > source in a tarball, it could be somewhat harder to discover, but I > think this is unlikely. If someone would want to do this, they would > first have to either create a package with malicious components and > then try to make it popular (which is hard) or try to sneak in a patch > for an existing project, which is also hard. The number of obstacles > and number of eyes to pass by is relatively high (should be high > enough for someone to notice), and the malicious people would have to > be patient. I may be filled with prejudice towards malicious people, > but I believe them to be less patient than the average non-malicious > person. > > I also think the official packages are safe. The number of steps a > malicious person would have to go through is high, and there is much > checking of what TUs/devs do from both other TUs/devs and the public. > > Extreme patience and sneakiness would have to be employed for someone > to even be a little bit malicious with the most popular AUR packages > or the official packages. And even then, there are the filesystem > permissions, and other security measures in Linux, to overcome if a > malicious person is to do anything worthwhile (to the degree that > maliciousness could be worthwhile). People may even have installed > more fine grained security with something like SELinux, which would > render the endeavor even harder to accomplish. > > The unpopular AUR packages are a completely different story. There > would be few eyes on both the upstream code and the PKGBUILDs and it > would be extremely easy to try to do something malicious. However, > just one dedicated Arch Linux user should be enough to check if it did > anything malicious, at least for types of maliciousness that is easy > to notice for the user, like deleting files or filling the harddrive > with pictures of ponies. > > Of course, if the upstream sources was from a respected company or > organization, it would be easy to read the PKGBUILD and unlikely that > the sources contained anything malicious. > > Back to the question: I don't know and haven't heard of any cases of > actual malice in any Arch Linux packages, neither official ones, nor > unofficial ones in AUR. > > The worst case I encountered was an AUR package made by someone > clueless that cluttered all sorts of directories with misplaced files > at install time. This probably does not qualify as malicious, and the > package was swiftly removed from AUR. > > When it comes to the safety of code, it can be really hard to tell if > it is malicious or safe just by reading it. There is a competition > called "The Underhanded C Contest" where people contend in hiding code > in code: http://underhanded.xcott.com/. And that's only for the > packages where the source is open! Who knows what upstream projects > with only binary files available might do. > > The official Skype package has no available sources, only binary > files. According to a recent article by Ars Technica, Skype is vital > to NSA surveillance: > > http://arstechnica.com/security/2014/05/encrypted-or-not-skype-communications-prove-vital-to-nsa-surveillance/ > . > The likelyhood that Skype is malicious in other ways than this is > probably low, but how can we know for sure? Even with the source code, > it would take quite a bit of time and effort to be 100% sure (ref. the > Underhanded C Contest). > > If malicious and unpopular AUR packages would ever become a problem, > we could have some sort of required vetting (of the users and/or > packages in question) before the packages were made public. I really > hope it doesn't come to that. It would just be more work for everybody > involved, with little gains for the potentially malicious people. > > One would think that the computers that the serious, malicious, sneaky > and patient people would target, would rather be the faster and more > well connected computers in the world, which are hopefully run by > people that care about security and won't install random packages from > AUR on their servers. > > For now, I think the official packages and popular AUR packages are > safe, but be careful with the unpopular AUR packages. > > -- > Cheers, > Alexander Rødseth / xyproto >
