"SquirrelMail Repository Poisoned" (slashdot)
Paul Wouters
paul at xelerance.com
Wed Dec 19 20:12:09 UTC 2007
On Wed, 19 Dec 2007, Paul Vixie wrote:
> Subject : Re: "SquirrelMail Repository Poisoned" (slashdot)
> could something like this happen in BIND and go unnoticed?
>
> http://it.slashdot.org/article.pl?sid=07/12/18/1847233
The title "repository poisoned" it a bit confusing. It was not the
"source repository" but the "source distribution" that was
compromised. This could happen to anyone, but people should
fetch the code regularly from their own web/ftp server and verify
it against their local checksum. I am not sure if BIND is doing
that.
As a side note, one of the good features of git is that every commit is
a sha1 hash. In case of a compromise of the source repository (versus
a compromise in source distribution archive files), your first next
'git push' would tell you there is a problem and refuse to commit.
tcpdump and openswan do daily checks on their public web/ftp servers
for source distribution file compromise. Openswan is also using git as
their source repository, ensuring instant detection of source repository
compromise. (I believe tcpdump is still using CVS)
Perhaps it would be an idea to setup a serive where people can submit
a url with a hash, and request daily checks on the integrity of the
distribution files.
Paul
More information about the bind-workers
mailing list