Results 1 to 4 of 4

Thread: Open-Source project administrator infects part of the project's code …

Hybrid View

  1. #1
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,410

    Exclamation Open-Source project administrator infects part of the project's code …

    I noticed this in Bruce Schneier's latest Crypto-Gram issue: <https://www.schneier.com/crypto-gram...1215.html#cg12>.

    It seems that, someone was given the right to administer a module which is part of an Open-Source project and, used that right to push some malware on to that project's users …
    he emailed me and said he wanted to maintain the module, so I gave it to him. I don't get any thing from maintaining this module, and I don't even use it anymore, and havn't for years.
    Apparently, you don't want to take any responsibility for this package. That's fine, it's the free community, do whatever you want. But at least indicate somehow that you're not maintaining this repo anymore, e.g. archive the repo
    AFAICS, the question is, “How does an Open-Source community protect itself against the misuse of the community's resources?”

    IOW, is it sufficient to have a control instance which inspects all the code submitted to the community's repositories?

    How much trust do we have to place in the sources of the code in the community's repositories?

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,311
    Blog Entries
    15

    Default Re: Open-Source project administrator infects part of the project's code …

    Quote Originally Posted by dcurtisfra View Post
    I noticed this in Bruce Schneier's latest Crypto-Gram issue: <https://www.schneier.com/crypto-gram...1215.html#cg12>.

    It seems that, someone was given the right to administer a module which is part of an Open-Source project and, used that right to push some malware on to that project's users …



    AFAICS, the question is, “How does an Open-Source community protect itself against the misuse of the community's resources?”

    IOW, is it sufficient to have a control instance which inspects all the code submitted to the community's repositories?

    How much trust do we have to place in the sources of the code in the community's repositories?
    Hi
    Lots of eyes.... hmmm maybe, except wasn't it bumblebee that deleted / with remove minus force * a few years back?

    There has been a few others adding miners as well, they don't last long.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,823
    Blog Entries
    1

    Default Re: Open-Source project administrator infects part of the project's code …

    I don't see how the problem can be a problem specifically with FOSS...

    Like any business or endeavor, any project whether FOSS or not is only as good as the people who manage... As you clearly describe, the malicious hacker was expressly given sufficient access without supervision to embed the malicious code. I'm not sure how that would be different than any other company or project, history has many examples of malicious code purposely or accidentally embedded in FOSS and commercial products... Yes, Sony has been the victim of embarrassingly installing malicious code at least once, and in the case I'm think of was when they just grabbed publicly available code and stuck it in their commercial code.

    If you think the Crypto-Gram issue is because it's FOSS, that's not the case,
    And even blaming on neglectful management is only half the problem or less if the maintainer(s) are up front about their wish to no longer support the app.

    That's why if you install something that's not from openSUSE you should try harder to determine the risk... Like
    - How active is the project? Look at the source code updates for frequency and last/latest submissions.
    - For things like networked apps, should they have been updated to use encryption within the past year or so? Major vulnerabilities were found and if not patched, is an indicator of neglect and likely vulnerabilities.
    - How large is the community? Although I do have complete confidence in some one-person projects, those individuals work hard on what they make available to you and it shows. In some cases, if you try to communicate with that person and he doesn't answer, walk away.
    - Is there a blog and possibly supporting documentation?

    All of the above shows the degree of attention the app is getting.
    And remember, in many cases you get what you are paying for... and if you're paying nothing, then there may be only a limited obligation for what you are given to work.

    HtH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,410

    Question Re: Open-Source project administrator infects part of the project's code …

    Yes, yes, yes but, maybe, note that, the issue was found because someone noticed some warnings when they built the package from the source code …

    The SUSE openQA provides a reasonable method to ensure that the code builds correctly for the SUSE and openSUSE distros but, the following question has to be asked:
    • “Who has written the test scripts for the openQA process and, have those test scripts been verified?”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •