security of the universe repository

Chandra Amarasingham camarasingham at yahoo.com
Thu Dec 20 08:36:58 UTC 2012 

I guess there would be malware scanners on the repo servers...but the 
kind of malicious code we are talking about probably would not 
recognized by scanners? kind of once off code stealthily injected into a 
code base?  somewhere in the stream of contributions?

but this is not really confined to open source, it could also happen in 
proprietary software by a company employee I guess....

Chandra

On 12/20/2012 07:21 PM, Patrick Asselman wrote:
> On 2012-12-18 15:01, Amichai Rotman wrote:
>>
>> On Tue, Dec 18, 2012 at 2:45 PM, Tom H <tomh0665 at gmail.com> wrote:
>>
>>> On Tue, Dec 18, 2012 [1] at 12:57 AM, Chandra Amarasingham
>>> <camarasingham at yahoo.com> wrote:
>>> >
>>> > I am wondering if there is an "official" word on the security of the
>>> > universe repository compared to the Main repository. By security I 
>>> mean free
>>> > from malicious code.
>>> >
>>> > I don't think there are anti-virus programs in the Main 
>>> repository, but I
>>> > think clam anti-virus is in the universe repository.....but that 
>>> means I am
>>> > not able to be confident that the clam anti-virus itself does have 
>>> malicious
>>> > aspects (eg. from other sources...).
>>> >
>>> > I thought it would be nice to have some scanning software in the main
>>> > repository which can be used to scan software from other 
>>> repositories which
>>> > don't enjoy the same level of confidence.
>>>
>>> Why would the universe/multiverse repositories be insecure? They're
>>> packages rebuilt from Debian just like those in main/restricted.
>>>
>>> -- 
>> I think the OP is referring to the fact the Universe / Multiverse
>> repositories are not supported directly by Canonical, but by the
>> community. So the OP, being a long time Windows user, I guess, assumes
>> it is potentially open to malicious code...
>>
>>
>> Chandra: No need to worry!
>>
>> Although Linux viruses exist, they pose very little threat to your
>> Ubuntu. On the other hand, if you use the same computer with Windows,
>> and download files from the Internet, make sure to scan them regularly
>> with an updated Anti Virus. You can safely install ClamAV + ClamTk
>> (it's graphical front-end) and use it to scan your Windows partition
>> from within Ubuntu.
>>
>> The fact that the  Universe / Multiverse repositories are not
>> supported by Canonical just means you have to seek the community's
>> help and support for the applications you installed from them, and not
>> contact Canonical.
>>
>> I hope I was helpful and didn't confused you even further ;-)
>>
>
> If malicious code enters the repositories, you DO need to worry, A LOT!
> Viruses in the big bad world get stopped by firewalls, scanners, and 
> the built-in unix file permissions.
> If a repo is infected (depending on the software it is in) it can have 
> root access to start with, so it can do anything it wants. If you are 
> lucky it will totally feck up your system so you will notice straight 
> away. If you are not so lucky, it will silently gather data without 
> you knowing.
>
> Mind you, the chance of repo's being infected and noone noticing is 
> small.
>
> Best regards,
> Patrick Asselman
>
>
>

More information about the ubuntu-users mailing list