Signed upstream tarballs in Debian#

by

In the past [1] numerous [2] file [3] distribution [4] servers [5] were [6] attacked [7] and the attacker replaced a release tarball/zip with a modificated version including a backdoor. Usually the distributions use some kind of signatures to avoid such an attack against their own infrastructure but this doesn't include the initial retrieval of the source code from upstream (usually done through the tarballs).

More... [8]
  • [1] https://sourceforge.net/blog/phpmyadmin-back-door/
  • [2] https://forums.unrealircd.com/viewtopic.php?t=6562
  • [3] https://forums.proftpd.org/smf/index.php?topic=5206.0
  • [4] https://h-online.com/-913588
  • [5] https://lwn.net/Articles/450181/
  • [6] https://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
  • [7] https://scarybeastsecurity.blogspot.cz/2011/07/alert-vsftpd-download-backdoored.html
  • [8] https://narfation.org/2013/06/23/signed-upstream-tarballs-in-debian