And you’d expect anything different ? … articles like those above are designed to bring them out of the woodwork.
I mean … with titles like “Early sign of Linux becoming less secure”
How the hell has this made Linux “less secure” … now if we dropped the repository system, THEN Linux would become “less secure”.
I’ve said it before … it’s NOT impossible to author malware/viruses for Linux, the problem would be getting it into the software supply chain, and that hasn’t changed.
There’s still little point in a Linux AV, Anti-Virus only works once a threat has been identified and it’s added to the AV definitions … currently the only attack vector would be a compromised software repository, and IF that happened it would be spotted pretty quickly and REMOVED, not just patched against.
Whilst a compromised repo is not beyond the realms of possibility, neither is the compromising of the Windows update system, so no matter how you cut it there are more attack vectors in the Windows software system … in any case it’s HIGHLY unlikely it would cause mass damage as any modified software’s keys wouldn’t match so would be rejected by your package manager … so they’d also need to crack the package signing procedure and/or key stores, AFAIK this has never happened.
IIRC there was a case of compromised software making it into some repo, but was spotted because the keys didn’t match … and there was a case of someones key being cracked … but AFAIK, there’s not been a case of both in tandem that would or could have affected the security of pushed updates … and as I said, that attack vector equally applies to the Windows update system.
And the next person that says linux only has “security through obscurity”, I’m going to track down and humanely put down, they have no right to be taking up space in this world … hte malware/virus authors would make a MUCH bigger name for themselves if they managed to compromise Linux (the articles above prove this … nobody even bothers writing about Windows malware any more). and surely the worlds servers would be the biggest target, and they’re all Linux.
It sounds serious enough to me, even if it's not as serious a threat to a Linux system as they make it out to be the perceived threat can do as much damage to the Linux community as the trojan itself
That’s the whole point of FUD … doesn’t have to be real, just create fear, uncertainty, and doubt … it’s the writers of articles like the ones linked above that should be tracked down, they haven’t questioned “HOW” it’s any more of a threat than a kid posting a malicious bash script on his blog, just jumped on the sensationalist bandwagon … remember, before posting the articles they had an unlimited amount of time to research its attack mechanism, but they “chose” not to, it wouldn’t have been an interesting story then would it ?