Re: [arch-general] Integrating Virus Scanning for Packages Handled by Pacman (Mark Lee)
On Wed, 2013-04-24 at 12:57 -0400, arch-general-request@archlinux.org wrote:
On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark@markelee.com> wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before
On Tuesday, April 23, 2013 06:56:56 PM Daniel Micay wrote: pacman
installs packages.
-- Mark E. Lee <mark@markelee.com>
The PKGBUILD itself is a bash script. If you're running them without reading the code and checking that the sources are from an upstream you trust, you're gonna have a bad time.
There are plenty of packages in the AUR that touch outside of $pkgdir - but most seem to be beginner mistakes in good faith. ClamAV pretty much just detects very common win32 viruses, because it's used on mail servers to *reduce* the number of spread viruses.
If you really feel like scanning the package contents after you've already trusted the PKGBUILD and build scripts, just don't use makepkg -i.
I'd have to agree here, I don't feel much as if it is the duty of the package manager to check for viruses. Furthermore, reinforcing what Daniel said, ClamAV's primary function is to mitigate the spreading of Windows malware. While it would be nice to have some system to screen PKGBUILDs for malicious activity, it is just out of scope. [core], [extra], [multilib], and [community] are for the most part screened upon submission (You can't just throw a package right upstream and into [community] without having someone view it first, thus having an opportunity to spot bad scripts) and the AUR is fairly trustworthy in and of itself. It really is just a matter of trust.
As seen by some malignant Android apps, trust in the developer/maintainer does not always work towards the goals of the end users. Packages downloaded from the main repos or built from the AUR should be scanned for both windows and linux malware to ensure Arch Linux pc's don't become carriers for malware. Pacman would benefit from an additional line of package scanning (not just verifying); it's sort of like a second opinion from another doctor. From, Mark -- Mark E. Lee <mark@markelee.com>
Packages are signed, unless they're infected at the source, you can't attach/embed malware in them enroute to your machine. Upstream could insert much more incidious things into a package then malware. Scanning for malware is only going to help you find known pieces of malware with known signautres. Its not going to magically be able to detect any bit of malicious code. That is simply an impossible proposition, making scanning for malware a ineffective and virutally useless technique. Basically its comes down to trust. If you can't trust the repos, don't use them.
No. There is package signing now. You already verify that the guy who put his package on the repo is the guy you trust as your binary source. How do you know? Because you could build the exact same binary with an archlinux source package and current devtools. The unholy mess gcc is is entrusted with encoding our sources to machine executable format, and how do you know you can trust it? You can't. To say it with XKCD, there is no point in forcing teachers to wear a condom in class, and there's no point in adding virus protection to arch's repos. Really, no. cheers! mar77i
On Wed, 2013-04-24 at 13:47 -0400, Mark E. Lee wrote:
As seen by some malignant Android apps, trust in the developer/maintainer does not always work
IMO this is an improper comparison. The Android community is completely different to the Linux, BSD etc. communities. You might call Android a Linux, but the community is more comparable to Microsoft and Apple users. Scanners are made for Windows and they tend to mark good Linux files as malicious from time to time.
On 2013-04-24 13:47, Mark E. Lee wrote:
As seen by some malignant Android apps, trust in the developer/maintainer does not always work towards the goals of the end users. Packages downloaded from the main repos or built from the AUR should be scanned for both windows and linux malware to ensure Arch Linux pc's don't become carriers for malware. Pacman would benefit from an additional line of package scanning (not just verifying); it's sort of like a second opinion from another doctor.
I am continuing on the assumption that this is serious... The Arch Way is all about handing the power to the user, such changes (which, regardless, are pointless) should be handled by the user directly. What a virus scanner says does not necessarily equal the actuality of whether a virus exists. Besides, what if I *want* to have a virus as part of a package on my computer, for analysis, unit tests, or some such? What if an AV vendor suddenly decides that they have a vendetta against someone, and blacklist them? That has happened many times before. AV vendors are evil, evil, evil. IMO: pointless. GPG verification is almost cost-free to the user. Virus scanning is not, and is just plain wrong. Chris
participants (5)
-
Chris Down
-
Mark E. Lee
-
Martti Kühne
-
Ralf Mardorf
-
Simon Gomizelj