-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-07-13 at 17:06 -0700, John Andersen wrote:
On Sun, Jul 13, 2008 at 5:01 PM, Carlos E. R.
Trojans usually involve a replacement module for a system module. To get a trojan to work on linux, you have to: 1) Convince someone to download it,
Just create an interesting repository in the build service and pervert it.
Or hack pervert an existing repo.
Or pervert the source code of some project, it might take some time till discovered.
Of these the last seems possible. Especially if the project is in disarray, and check ins are not carefully watched.
But Repos usually are signed, and in addition to the above you have to convince the masses that the key should be imported and trusted.
Just create a repo with a signature with the intention from the start to pervert it. It is signed, so what? There is no strong web of trust in the pgp sense (face to person signing of keys). About convincing the masses to import the key, that's easy enough: once you want to add a repo, you just press enter when yast asks about importing the key. What do you expect? How can we manually import each key and whom do we ask if each repo (there are hundreds) is trustworthy? How do we know who is behind and responsible for each repo? Where are the descriptions of each repo, a declaration of intentions, a list of owners? No, we simply search for a repo that contains what we want (with a search engine, perhaps), add it, answer yes to all questions. Bingo! F! I'm not telling there is inmediate danger, but that there could be. It scares me more than viruses, that's a fact. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIeqiDtTMYHG2NR9URArzzAKCGiIa7l94hClpoPhWpwBSjlCjqMQCfcH7V 4LhEU/R811kQClf4fCyRyrU= =yvz0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org