[linux-elitists] Comprehensive list of Linux malware
Sat Nov 20 15:39:14 PST 2004
Etienne Goyer wrote:
> Mike MacCana wrote:
>> - Executable files not used to package software
>> Legitamite software is supplied as a package file that only needs to
>> be read by an existing, trusted executable installation app (ie,
>> up2date, apt-get).
> Considering package install script can do pretty much anything, and
> are usually runned as root
What you've said is true, but the point I'm getting at there is a
different one (I probably could have worded it better). That point: not
only do you explicitly have to make a random file executable to run it,
people aren't in the habit of making files executable.
We've mentioned why "Download this file and run it (won't work, because
its won't be saved as executable)" won't work.
This one's about "Download this file, make it executable, and run it"
(seems odd, none of my other software is installed that way).
So we're up to: "Install my GPG key, install my package". Indeed,
package signing isn't a panacea - people you trust might do bad things,
or bad people might convince you to install their key - but in the
latter situation, it makes it more obvious that package that says it
comes from your vendor might not be.
"hrm, I've already installed a key for Red Hat / Dag Wierrs/ Webmin /
Proprietary Vendor before - seems a little dodgy their asking me to
install a new one..."
More information about the linux-elitists