[sf-lug] (forw) Re: Something new on Distrowatch and Ubuntu variants.

Rick Moen rick at linuxmafia.com
Mon Apr 26 16:27:26 PDT 2021

Bobbie wrote:

>     No I trust the sites I download from.
>     If their checksum matches the file I downloaded I consider it secure.

Then, you are putting at small but significant risk the people you pass
the ISOs to (not to mention putting yourself at risk).

If the site gets a temporary security compromise, then the bad guys can
and will put a trojaned variant of the real ISO there for download,
along with matching checksums.  This has already happened to multiple
significant Linux distributions.  Off the top of my head, I remember it
happening to Linux Mint.

The examples I have specifically documents in my Linux malware essays
(http://linuxmafia.com/~rick/faq/) aren't distros, but are significant 
Linux codebases whose 'trusted download sites' got hacked and trojaned
fraud versions put in place to sucker anyone who isn't bothering to vet
developer PGP-signing.  You can see details at the link, but the summary
form is:

1999, TCP Wrappers package
2002, sendmail
2007, SquirrelMail
2010, ProFTPd
2011, vsftpd
2011, the Linux kernel(!)

Notably, none of those trojaned imposters _infiltrated_ Linux
distributions because distro gatekeepers bothered to verify developer
crypto signatures.

You in _still_ not doing likewise are doing people no favour, and it
might be that, one of these days, you're going to owe a bunch of them a
big apology.

I've been occasionally re-raising this omission on your part, and why it
is A Bad Thing, for (I think) well over a decade now, and you have
continued to ignore the problem and at most say "Well, I trust the
download sites".  Choosing to trust download sites, and not bother to
check release signatures, is just a complicated way to get fooled (you
and the people you give ISOs to) by the next person who infiltrates
trojaned ISOs onto one o those download sites you "trust".

And again, this is not just a theoretical problem.  Talk to all those
people who download and installed security-compromised Linux Mint from
the download site they "trusted".

I'm going to keep occasionally reminding you that you're making a
dangerous mistake, as long as you keep committing it.  Not all the time,
but I'll keep mentioning the risk you're needlessly creating to others.

> Do you want any flavor of Ubuntu that I have not named.

Nope.  And, if I did, I wouldn't trust your ISOs.

More information about the sf-lug mailing list