Hacker News new | ask | show | jobs
by cassianoleal 771 days ago
Right... I may have wrongly named Arch in my comment. Thanks for the correction.

I'm curious about Arch's claim that "the build script was configured to only inject the bad code in Debian/Fedora based package build environments". Were Debian and Fedora specifically targetted, and the other distros who also got affected just happened to use similar packaging routines, or is this claim a guess?
2 comments
csande17 771 days ago
The malicious build script included heuristics to only include the backdoor if you were building a .deb or .rpm package (the Debian and Fedora formats respectively). Other distros would have been affected if they used the same packaging setup -- Ubuntu also uses .deb, for example, because it's based on Debian.

And some distros IIRC considered themselves "affected" if they ever used a malicious version of the code, just in case, even if the backdoor didn't actually get compiled in to their version.

link
cassianoleal 770 days ago
It's odd to call RPM the "Fedora" format. It literally means Red Hat Package Manager [0]. Well, at least it used to, according to Wikipedia. :D

It's true that Red Hat now owns Fedora, but the adoption went the other way around.

[0] https://en.wikipedia.org/wiki/RPM_Package_Manager

link
throwup238 771 days ago
Me too, especially since many packages on Arch begin by downloading the official .deb/.rpm
link
saghm 771 days ago
Does this happen for official packages or just the AUR? I was pretty sure that when possible they build the packages from source themselves rather than bundling pre-existing binaries, and I'd assume that they wouldn't likely have the sources in the final package. IIRC Debian doesn't even like to bundle the headers in with libraries in preference of splitting them off into a separate file, so I'd be kind of shocked if they put the entire source of each library in the .deb files they distribute.
link
grawlinson 771 days ago
Arch package maintainer here; we generally encourage building from source for packages provided by the official repositories. As far as I know, we only ship pre compiled binaries if there is no source available, i.e. commercial programs such as reaper.
link
saghm 770 days ago
Awesome, that's pretty much exactly what I had thought
link