How do we know?
Posted Dec 20, 2007 15:43 UTC (Thu) by corbet
In reply to: The backdooring of SquirrelMail
Parent article: The backdooring of SquirrelMail
Peer review did work with SquirrelMail - somebody reviewed the checksum and raised the alarm. There was no possibility for review to happan any earlier - that code did not go through the ordinary process. The fact that almost all backdoor attempts have targeted the distribution point (the final tarball) rather than some point earlier in the process suggests that getting a backdoor in that way is hard.
In other cases where backdoors have actually made it into source repositories (interbase, for example, or the mICQ incident), peer reviewers have caught the problem. The interbase backdoor lasted for a year and a half, but I do not think it was being exploited. It was something the developers left in by mistake. I do not know of a case where a trojan was introduced into a free software project, then was exploited for any significant period of time before being found.
That, of course, does not say that no such compromise exists. But I would be more concerned about long-term backdoors if there had been some cases of compromises which lasted for an intermediate period of time.
to post comments)