Originally Posted by Hurrian (Post 1198684)

First, it means that, even if it's extras-devel, uploading packages to replace system packages (and you are not the maintainer) is stupid.
At least name it libxau6-power or something. Conflicts/replaces libxau6.

Originally Posted by misiak (Post 1198698)

That's exactly what I said :D

It's super-amazing that noone got an idea yet to create a package with postinstall script "rm -rf /" and upload it to extras-devel with name maemo-fremantle-pr ;P

Edit: Hurrican, are you kind of super-user? You don't have "Thanks!" button below your posts...

Originally Posted by misiak (Post 1198698)

That's exactly what I said :D

It's super-amazing that noone got an idea yet to create a package with postinstall script "rm -rf /" and upload it to extras-devel with name maemo-fremantle-pr ;P

Edit: Hurrican, are you kind of super-user? You don't have "Thanks!" button below your posts...

Originally Posted by szopin (Post 1198706)

That would be instantly called out on this forum. Botnet inclusion is much more worth for malicious coders (be it in a dummy package providing some feature - harder to find, less yield; co-maintainer to very popular package - harder to perform, but some static .so inclusion that fixes a bug included previously should work easily). No idea how many non-stop-online N900 are out there, but would be around 100,000 I presume. Not bad for a bot-net (a mobile one at that)

Originally Posted by szopin (Post 1198681)

[...] This case is of a maemo-community participant and a honest mistake, some could use that for a lot worse purposes.
Is this issue for council to decide/fix? Nokia? Community?
[...]

Originally Posted by Ken-Young (Post 1198710)

This is part of the price we pay for having a broken QA process. Since many packages languish for months in Extras Testing, people have started downloading from the more risky repositories, because they are the only ones with new packages.

Originally Posted by szopin (Post 1198709)

(but this as security through obscurity is dumb defense at best)

Originally Posted by szopin (Post 1198781)

Static libs inclusions, or are they blocked by autobuilder?

Originally Posted by javispedro (Post 1198786)

The autobuilder will not block virtually anything except for a few trivial cases. But you can still see the build process (which is the point here).

Originally Posted by szopin (Post 1198789)

Trivial maybe in 2009, but now future life of N900 depends on them (gcc/libstdc++...).

Originally Posted by szopin (Post 1198789)

Seeing a build process of something that includes malicious .so helps how exactly?

Originally Posted by Estel (Post 1198796)

Can't fully agree. It's not the case of apt-get upgrade or dist-upgrade - package mentioned in first post is a dependency of many other packages, so, even upgrading "theoretically" safe thing like NES or PS emulator (which one agrees to download from -devel, due to trust for developer), people will get broken system core package, without fault on side from developer of mentioned emulator!

Originally Posted by javispedro (Post 1198806)

Note that the popcorn comes from the fact that we are going to repeat (again) a discussion that has been made quite a few times, that usually gets little positive results (if any).

Originally Posted by misiak (Post 1198698)

It's super-amazing that noone got an idea yet to create a package with postinstall script "rm -rf /" and upload it to extras-devel with name maemo-fremantle-pr ;P.

Originally Posted by bocephus (Post 1198830)

If this could actually be done, it's an abhorrent oversight.

And this libxau6 ****up isn't the only example. Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.

Originally Posted by szopin (Post 1198833)

Funny, seen same package as update candidate, but no threads about it. Did you have any bad experience with it?

Originally Posted by szopin (Post 1198813)

Sorry, too new to have experienced that (though I have been closely watching this forum for a year at least and I cannot for the life of me come up with similar thread/discussion, pls share)

Originally Posted by szopin (Post 1198813)

Trivial cases of autobuilder checks I hope we are discussing. If so, we just agreed that AB while having limited ability to control packages submitted to it, lacks any degree of security control (if we'd start listing how many pakages have no maintainer as libxau6 we'd probably break this forum). True, but I know this only to be the case for -devel. Hoping this is not the case with extras(-testing)

---

> unrelated package uploaded to community repos, that cause overwrite over
> crucial SSU package.
>
> Sure, this mess is mainly due to lack of common sense on uploader's
> side (which he has history for...), but isn't it also repo bug?

---

Originally Posted by bocephus (Post 1198830)

Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.

Originally Posted by Pali

Hi! I looked at this problematic package.

Package has changelog in debian subfolder. Here is:

===
curl (7.25.0-1maemo2) fremantle; urgency=low
* Maemo package cleanup

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 30 Mar 2012 10:07:43 +0200

curl (7.25.0-1maemo1) fremantle; urgency=high
* New upstream release
- Fix builds with proxy or http disabled
- Fix a numeric overflow in parsing date
- COOKIES: strip the numerical ipv6 host properly
- Fix CONNECT: fix multi interface regression
http://curl.haxx.se/mail/lib-2012-03/0162.html
- SWS: refuse to serve CONNECT unless running as proxy
- Update detection logic of getaddrinfo() thread-safeness
- Fix --libcurl option output file text translation mode
- Fix OOM handling
- Fix resolve with c-ares: don't resolve IPv6 when not working
http://curl.haxx.se/mail/lib-2012-03/0045.html
- SMTP: Changed the curl error code for EHLO and HELO responses

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 23 Mar 2012 09:29:36 +0100
===

Source code of version in extras is here:
http://repository.maemo.org/extras-d...source/c/curl/

tarball curl_7.25.0.orig.tar.gz from extras-devel is same as
upstream 7.25.0 version on: http://curl.haxx.se/download.html

I checked also additional patches and all are only compile flags, nothing more.

So I did not found anything strange in source code (no backdoor, etc..).

Package is only "New upstream release". But still it is bad that anybody
can push new version of maemo core packages (also if it fixing strange bugs)
without any informations...

Originally Posted by Estel (Post 1199780)

Well, I'll answer myself:

(From maemo-community@maemo.org mailing list)


So, this package seems legit. It's pity, that uploader haven't wrote a single note on TMO, we could say "thank You" ;) Of course, it still doesn't mean that it doesn't break anything Maemo-specific, but due few weeks of usage, I haven't had any problems.

Originally Posted by szopin (Post 1198709)

Install FM Radio latest version from devel. Click on icon... nothing happens. Probably many more packages have such behaviour (maybe PR 1.2 app?) but on WIN I would instantly start an AV soft and download another to perform a check, just to be sure (which will never be oh well). -devel allowing apps to run as superuser is just another vector of attack. N900 is super easy for malicious devs to attack, only thing that is helping is lack in numbers (but this as security through obscurity is dumb defense at best)

Originally Posted by Estel (Post 1204025)

Smells like Cyanogen mod and android :)

Originally Posted by Estel (Post 1204065)

Seems quite unnecessary - allowing to downloads from -devel, you also "agree", that You're using stuff that may cause problems. Yet, almost everyone use it, due to broken Q&A system and/or unmaintained, yet useful, packages in repos.

Such question about root permission wouldn't change much - everyone would just accept it (or program in question won't work), if they installed it anyway.

/Estel

Originally Posted by Estel (Post 1204080)

For sure You can, if license permits it, and using name convention that won't collide with anything.

Originally Posted by Estel (Post 1204124)

There is a rule of thumb, that components belonging to Nokia can be re-used/re-distributed if used non-profit for benefit of Nokia devices owners. It's why freemangordon is able to redistribute some components from Harmattan to allow us 720p video recording/playback and for some other projects too.

So, you should be ok.