Bugs in the open-source community?
Fortify Software is suggesting that the trusting nature of open-source developers has led to some glaring Trojan Horses in their code. The problem with Computer Business Review's analysis ("Is nothing sacred?") is that the very transparency of the problem leads to its erasure in open source. Transparency leads to a solution.
Fortify has identified a new class of bug that is designed to take advantage of the atmosphere of trust that occurs while developers are playing with open source code. It's called "build-process injection," a Trojan horse that allows hackers to insert malicious code into the target program while it is being constructed.
In this case, hackers can surreptitiously replace source code sitting in the repository with an infected version. The result is that the Trojan horse could start doing its dirty work before the application ever gets to test phase, or depending on the design of the malware, at any point thereafter.
I'm not a developer, and understand the problem (a developer comes to trust her code repository and so doesn't think to check it before pulling down code). But the one thing that isn't recognized in the problem or analysis of it is the trust that is required to upload code to an open-source project. It's simply not the case that anyone can do it. The kind of person who would do this sort of thing isn't the sort of person that has the access necessary to accomplish it.
Regardless, I'm willing to bet that a horde of open-source developers with knowledge of the problem will fix it. Exposure leads to solutions; secrets perpetuate them.
Matt Asay brings a decade of in-the-trenches open-source business and legal experience to The Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. You can follow Matt on Twitter @mjasay. 
I'm guessing they're referencing OSS projects that use Maven, which at build-time downloads dependencies from the somewhere on the internet. If one of the dependencies is infected or downloaded from an untrusted source, then perhaps something unintended can happen... assuming the code even compiles.
Any OSS project-lead not safe-guarding his dependencies in his own hosting environment, needs to get his head examined anyway.
The only way this would happen would be without a maintainer or with one not capable enough, or that if one of the core developers actually had the wrong intent, but these are also situations that affect closed projects, it is even riskier since the problem cannot be detected as fast.
- "Theoretical"
- by reedhedges October 16, 2007 8:21 AM PDT
- Parts of the article imply that they actually discovered a case of this happening, but nowhere in the article does it actually say that. I think this is theoretical. In following and participating in the OSS community for years, I have never heard of this happening. (You can be sure it will be on Slashdot in 5 minutes if anyone ever reported an actual case of this.)
- Like this Reply to this comment
-
(3 Comments)