Date: Tue, 16 Jun 2015 00:49:31 -0400 From: Michael Gilbert <mgilbert@...ian.org> To: Christoph Anton Mitterer <calestyo@...entia.net>, 786909@...s.debian.org Cc: oss-security@...ts.openwall.com Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote: > Shouldn't we see a DSA following this incident? > > Since no one really know which binaries have been downloaded there and > what they actually do, and since it cannot be excluded that it was > actually executed, such systems are basically to be considered > compromised. > > Quite a deal of people choose open source just to prevent that - get > untrustworthy / unverifiable code run on their systems - failed. > > > And to be quite honest, I seriously consider the good faith of an such > upstream which does these kinds of things and wonder whether it can be > considered trustworthy enough to be part of Debian or whether it should > be banned from it. > More or less silently bundling proprietary code with open source > software (especially but not only when enabled per default) can already > be considered quite bad behaviour. > > But basically secretly downloading it leads to the question of possible > malicious intent (and everyone knows that Google&Co. do voluntarily > and/or forcibly cooperate with NSA and friends). > And I guess no one can prove that this blob didn't contain any rootkit, > and even if - the rootkit'ed version may have been just distributed to > certain people. > The downloading makes it more or less impossible for the admin/user and > especially for our maintainers to notice what's happening here > (otherwise they'd need audit every line of code for any such > occasions). > > > And even if the blob wasn't evil: while I haven't looked at the code, I > wouldn't even be surprised if the downloading itself is done > insecurely. > > > Worse, chromium isn't the only such rootkit-downloader,... this happens > - to my taste - far to often in recent times,.. e.g. FF which secretly > downloaded the OpenH264 blob. Barring the obtusely incorrect rootkit miscategorization, oss-sec is a far better venue for discussion since Debian is not the only distribution that includes chromium 43 . Best wishes, Mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.