[sf-lug] (forw) Re: Something new on Distrowatch and Ubuntu variants.
Rick Moen
rick at linuxmafia.com
Mon Apr 26 16:27:26 PDT 2021
Bobbie wrote:
> No I trust the sites I download from.
> If their checksum matches the file I downloaded I consider it secure.
Then, you are putting at small but significant risk the people you pass
the ISOs to (not to mention putting yourself at risk).
If the site gets a temporary security compromise, then the bad guys can
and will put a trojaned variant of the real ISO there for download,
along with matching checksums. This has already happened to multiple
significant Linux distributions. Off the top of my head, I remember it
happening to Linux Mint.
The examples I have specifically documents in my Linux malware essays
(http://linuxmafia.com/~rick/faq/) aren't distros, but are significant
Linux codebases whose 'trusted download sites' got hacked and trojaned
fraud versions put in place to sucker anyone who isn't bothering to vet
developer PGP-signing. You can see details at the link, but the summary
form is:
1999, TCP Wrappers package
2002, sendmail
2007, SquirrelMail
2010, ProFTPd
2011, vsftpd
2011, the Linux kernel(!)
Notably, none of those trojaned imposters _infiltrated_ Linux
distributions because distro gatekeepers bothered to verify developer
crypto signatures.
You in _still_ not doing likewise are doing people no favour, and it
might be that, one of these days, you're going to owe a bunch of them a
big apology.
I've been occasionally re-raising this omission on your part, and why it
is A Bad Thing, for (I think) well over a decade now, and you have
continued to ignore the problem and at most say "Well, I trust the
download sites". Choosing to trust download sites, and not bother to
check release signatures, is just a complicated way to get fooled (you
and the people you give ISOs to) by the next person who infiltrates
trojaned ISOs onto one o those download sites you "trust".
And again, this is not just a theoretical problem. Talk to all those
people who download and installed security-compromised Linux Mint from
the download site they "trusted".
I'm going to keep occasionally reminding you that you're making a
dangerous mistake, as long as you keep committing it. Not all the time,
but I'll keep mentioning the risk you're needlessly creating to others.
> Do you want any flavor of Ubuntu that I have not named.
Nope. And, if I did, I wouldn't trust your ISOs.
More information about the sf-lug
mailing list