Re: [Devil-Linux-discuss] Updating to 1.2.11

[Dick M. <di...@li...>]

Bruce Smith wrote:
>>>> Whilst these are minor irritants it does bother me that things are being added 
>>>> to the system without proper auditing.  This is supposed to be a secure system 
>>>> and addition of unverified software obviously gives an opportunity for malware 
>>>> to be unwittingly installed.
>>> Can you be more specific about what unverified software you're referring to?
>> aide and awstats.
> 
> How do you suggest we audit them?  Do you expect us to go through the
> source code line by line?

These things are always difficult.  I suppose just trying it out might be a good 
start.  If you've worked with it and configured it to suit DL organisation then 
you'll know what it comprises.

> (We'll get back to you in about 50 years, as
> soon as we're done with the kernel :)

:-)

> Or can we trust other sources to audit them?  

That's up to you.  We trust you, we have to and we want to.

> Personally I didn't add them, and I've never used either of those
> packages. 

Quite.  The fact that aide doesn't work tells a story.

> Do either of those packages start by _default_ when you boot DL?

Yes. Any program/script placed in /etc/cron.daily for example will be executed 
as root.  So far as I know this is the only way aide is executed.  Had aide 
install been good then everybody would be running it whether they wanted to or 
not.  There's a thing called logwatch also arrived in this DL version which does 
work.  It is also started in cron.daily.   First I knew about it was its report 
in my inbox.

> If so, then you _may_ be correct that there is a problem.

 > What evidence do you have that either of those packages are malware?

I hope there isn't any.

Dick