Thomas Delrue on 1 Jun 2015 08:15:54 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SourceForge has Malware?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

*puts on tinfoil hat*

Do you look at the source before you compile it? What if the code you
get is not the code you think you got? Did you validate the sig of the
code; GPG or MD5 or whatever?
And even upon that: do you trust your compiler? (For you yung'ens, I'm
referring to the "Thompson Hack" - see
https://en.wikipedia.org/wiki/Thompson_hack#Compiler_backdoors)

I'm not trying to be facetious here but just pointing out that 'just
compiling the code' isn't necessarily better unless you inspect what you
compile and compile it with a trusted compiler. It may give you
an unwarranted and false sense of security. What if during the time that
SF took over the account, they injected the code with the
crapware-delivery as well?

Broadening this even further (and putting on my secondary tinfoil hat):
with everyone dumping their code on GitHub instead of hosting it on
their own server; what if GitHub suddenly goes rogue? How do you know
that the code you see on GitHub the 'real code'?
There was an interesting article on SoylentNews.org yesterday that
brushed on this talking about how everyone is raving about distributed
SCCSs and then puts all their code on a single centralized GitHub:
https://soylentnews.org/article.pl?sid=15/05/30/1447245 (note: I am not
advocating for or against the 'decentralized GitHub')

*takes off tinfoil hat(s)*

By compiling the code, you are however reducing the chances that you'll
get crapware like what SourceForge is delivering because injection of
those things are likely to be detected before they can become a real
issue. More subtle and 'tailored' hacks may not be so easy to detect and
be inserted over long or longer periods of time.

*now /really/ takes off the tinfoil hat*

I realize that at this point I'm not offering solutions and am just
pointing at problems but at least it gets me to start /thinking/ about
solutions.

I'm a heavy Mercurial user which has a 'sign' feature: you can
crypto-sign a commit - and therefore it plus all of it's ancestors - I
think this enables a higher level of trustworthiness. This feature is
used in the mercurial source code itself.
While it does put the onus on the user to perform the validation, it is
things like that may increase trustworthiness in source-based software
distribution.

I don't know if git (what all the 'cool' kids are using these days) has
a similar feature. I'd be surprised if it doesn't but am looking at this
community to inform me.
If git has this feature, how extensively is it used for mainstream
projects (I haven't seen anything like this in for instance the Linux
Kernel repo) ?

On a different note: it looks like anything that gets taken over by Dice
(SlashDot, SourceForge) gets corrupted and becomes something to be
avoided. But that's just my opinion...

On 06/01/2015 10:21 AM, Keith C. Perry wrote:
> This is why I compile as much as possible and get the source to 
> compile from the writer's website.
> 
> Still, someone at sourceforge / dice needs to be fired for this 
> implementing this practice.  Distributing binaries implies a level
> of trust that doesn't have to be earned so when it gone, its done.
> 
> --- KP-
> 
> On Jun 1, 2015 03:00, Rachel Rawlings <rachelneko@gmail.com> wrote:
>> 
>> Soutceforge has begun bundling extra software in their installers. 
>> These are programs they're psid to include as/like advertising, and
>> there's no opt-out (othrr than downloading the, you know, source).
>> 
>> Some of the bundled software has included malwsre and annoyware. 
>> This practice actually started in 2013 after they were acquired by 
>> dice.com, and you can read a hellacious saga in the filezilla 
>> community fora.
>> 
>> It recently became a scandal again after sf spent a week bundling
>> a search hijacker called Binkiland. 
>> http://sdtimes.com/sd-times-blog-sourceforge-now-a-source-of-malware/
>>
Sourceforge has indeed joined the dark side.
>> 
>> On May 31, 2015 9:33 PM, "Anthony Martin" 
>> <anthony.j.martin142@gmail.com> wrote:
>>> 
>>> Just wondering if anyone knows if theres truth to this or not? 
>>> (sorry if this is old news) 
>>> http://helb.github.io/goodbye-sourceforge/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVbHcjAAoJEKosl9oIs/pO950QAMQV7oXkb/5AuHnhLA0w/YPe
TIceRjTQDtWQA82ZpktWXtWug6t/zJPFEmLxhFwnlGZVk3MuatfqoIOxUBy9ep1D
SDdhgyFflG+YGK3rKuv+jeVR1XyG70c9EubmIF2RVoOxbTZdFhy2dMnKQYYDdsDh
ZqPvacWUa6fbaxrq/p7ophkG3EOssDlwYB2t2JDUFiM8oehoosACf4NmZ/S7B9qK
k6sogoFm0L6r/yRAFZhS850U4daO3eyGcQjrfV53g00ru9oRhBdIJiypJhKnh8ZD
a2J7InAfD50781dR6gIeOQkv5zp45g8i4X7r2WZoumfr5ewf9OPuSKTCAqVXqLXS
VZbj/7evw3rhvf0zjIgKKm+1q0/y6AeF8xDLgcklFlsSvR5b24GRkF/IylBww/85
0hqm5unHc2uaKUxTiI0ID7sodFTEPAqogHC20o/NxSxszpNVnzmnbiA6PIFNRfsx
6eaEMfCMRn0N49gQ8D5v4wlye/qFV3UOlh8pgt+jHq8BWtKo0iBnyFXDapUUYUDW
1/AwFemF6rJzzsyrTrLrZPxyuzNV6sgdMJDvtb+yfUyewYfyS3Xq9RBTe/4wAeSV
zVy2gBDE9E054B9kmyYal3wGkA9LAgX6vAsqwRdO6tb+BxH/wm5NMHnHd4HrBWXm
nHv2jpV02IzXfDG60iIY
=9ZZX
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug