Date: Tue, 16 Jun 2015 00:49:31 -0400 From: Michael Gilbert <mgilbert@...ian.org> To: Christoph Anton Mitterer <calestyo@...entia.net>, 786909@...s.debian.org Cc: oss-security@...ts.openwall.com Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote: > Shouldn't we see a DSA following this incident? > > Since no one really know which binaries have been downloaded there and > what they actually do, and since it cannot be excluded that it was > actually executed, such systems are basically to be considered > compromised. > > Quite a deal of people choose open source just to prevent that - get > untrustworthy / unverifiable code run on their systems - failed. > > > And to be quite honest, I seriously consider the good faith of an such > upstream which does these kinds of things and wonder whether it can be > considered trustworthy enough to be part of Debian or whether it should > be banned from it. > More or less silently bundling proprietary code with open source > software (especially but not only when enabled per default) can already > be considered quite bad behaviour. > > But basically secretly downloading it leads to the question of possible > malicious intent (and everyone knows that Google&Co. do voluntarily > and/or forcibly cooperate with NSA and friends). > And I guess no one can prove that this blob didn't contain any rootkit, > and even if - the rootkit'ed version may have been just distributed to > certain people. > The downloading makes it more or less impossible for the admin/user and > especially for our maintainers to notice what's happening here > (otherwise they'd need audit every line of code for any such > occasions). > > > And even if the blob wasn't evil: while I haven't looked at the code, I > wouldn't even be surprised if the downloading itself is done > insecurely. > > > Worse, chromium isn't the only such rootkit-downloader,... this happens > - to my taste - far to often in recent times,.. e.g. FF which secretly > downloaded the OpenH264 blob. Barring the obtusely incorrect rootkit miscategorization, oss-sec is a far better venue for discussion since Debian is not the only distribution that includes chromium 43 . Best wishes, Mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ