Hi All
Interesting read from the mailing list;
http://lists.opensuse.org/opensuse/2009-12/msg00564.html
http://ubuntuforums.org/showthread.php?t=1349678
Probably a reminder to those who use alien to convert to rpm…
–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.39-0.3-default
up 5 days 6:54, 5 users, load average: 0.52, 0.34, 0.24
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.18
interesting, probably a scriptkiddie trying to be a l33t haxx0r and ddos attacker or phisher 
nevertheless, people should double-check what they download, even on sites they trust
Well why do you think I get most of my .debs from Ubuntu or getdeb?
Sometimes a PPA
It’s a bad idea to allow pure content to be distributed in a DEB or for that matter a RPM format that carries executable scripts. Same problem as with macros in word documents. They should only allow tarballs or zip files or whatever, but not something that could run a command behind the user’s back.
What and force source code?
No its not the answer, as source code can be corrupt too.
What is better needed is more management over on the various xlook and opendesktop websites
The packages at the site in question are themes, just images. No problems with distributing PNGs and JPGs. I said nothing about program packages, you jumped to your conclusion.
I agree !
For pure content (ie data such as image files) it makes no sense to include in a packaged .deb or packaged .rpm. Doing so just invites security risks and there is NO benefit from packaging them.
Having stated that, was not the malicioius script supposed to offer some sort of waterfall screen saver (ie offer more than just pure data content) ? (and hence by such an offer trick users into thinking an executeable was needed to run the screensaver).
Even a tarball can have problem of over-writing files.
The problem is not “they use .deb or .rpm” but that the packages aren’t signed, and can be uploaded by non-reputable sources. Exactly the same problem Flash has on user contributed contents sites.
So I shall disagree, it does make sense to package up data files, even if they do not require executables. Extra themes may be provided in seperate package, for those to install who are interested.
Sometimes data, requires actions on a system once it’s installed, perhaps menu generation, or alternative configuration.
If you say only executable programs should benefit from easy removal, updates and tracking provided by package managers, I think you’re being too restrictive and causing inconvenience to end users.
Furthermore very often “data files” have ways to invoke interpreter’s or actions in programs, so there’s no way out but to sandbox things from untrusted sources.
A tarball or a zip file doesn’t have to be unpacked by tar or unzip. An installer program can read the format and guard against putting files in undesirable locations. It’s simply a packaging format.
Whereas rpm and dpkg are effectively interpreters and you have the same problem that plagues Windows, idiots happily click through and install dodads from anywhere no matter that the system screams this package is signed by an unknown party.
If the application (installing a theme) does not require script interpretation, it is more prudent to leave it out. There is precedent for this; some themes are bundled as archive files and can be just dropped in place without unpacking. Or the final application does any necessary unpacking.