Write code and post packages - this is only half the job
Well, not half, but three quarters. Today I would like to remind you that, having published binary packages for your favorite users, the developer should not relax. Especially, if it publishes source codes. Why so? And because recently I downloaded other people's sources, and this is what came of it.
Immediately I warn you that this story will not be very instructive for people with direct hands and version control systems.
“You can't trust anyone, even yourself. I can". Muller
It all started a couple of days ago, when at our qutIM conference, someone posted a link to a new multi-protocol client created in accordance with the wishes of users of the asechka.su portal . By luck, the client was based on qutIM, respectively, was released under the GPL and at the bottom of the page the author published a link to the sources.
I was curious and eagerly rushed to download these sources. I was not interested in the binary of the program, so I limited myself to feeding him to check out virustotal.com - I have heard about clients with trojans that are laid out by Asechka.Su. But this turned out to be clean, and so I moved to the archive with the source code. And here I was in for a surprise.
What is it? And these are in the archive:
')
When I saw this, I almost choked on tea. Well, I think, maybe some old account, purely for demonstration or something. But my hands automatically reach for the accountsettings.ini file and in a few minutes I’m already typing my username and password into the garbage. Yes, unexpectedly for myself, I entered into someone else's profile. I did not want to foul or read someone else's mail, I only managed to understand from the first headings that the author is a kind of freelancer and habreuser. I sent on his behalf to him the same letter with the message that the code should be more careful and an invitation to go to the conference of the kutim, where I intended to tell about all the blunders. I marked this letter with an asterisk as important. Half an hour later, having found that he was not reading the mail, I also changed the status in gtalk in the hope that one of my friends would notice and call the owner. After waiting a little more, I left the account.
The next day, the password changed in the evening. At least, I drove it in for the sake of interest during the day, and he was still working.
During this time, I could pull out all the passwords, letters from friends, mistresses, girl / wife from the mail, collect information about all clients, sent materials and everything that could be there. And the fault would be inaccurately created archive. He never came to the conference to us, but today I checked - the archive with the source code on the site changed, almost all of the above-listed trash was cleaned out of it. Actually, that's why I publish this topic without the slightest remorse, in my footsteps no one else will pass.
Young developer, remember: you have to check any of your work fifty times before publishing. Even every time I check my articles: is there anything superfluous in the picture, did I accidentally post a link that was not intended for readers. What to say about the code. Remember also another thing: version control systems are good. They need to store the code and not to store the generated project files, compiled binaries and other heresies. Any version control system can do export, sometimes even (for example, as bzr or git) immediately to the archive. Use it.
And finally, the wish of the author of the program. Change all your passwords. And by the way, do not use such simple ones anymore.
No one guarantees that no one has got into the source code except me, and that all these people are kind, white and fluffy.
Have a nice day and secure releases.
Immediately I warn you that this story will not be very instructive for people with direct hands and version control systems.
“You can't trust anyone, even yourself. I can". Muller
It all started a couple of days ago, when at our qutIM conference, someone posted a link to a new multi-protocol client created in accordance with the wishes of users of the asechka.su portal . By luck, the client was based on qutIM, respectively, was released under the GPL and at the bottom of the page the author published a link to the sources.
I was curious and eagerly rushed to download these sources. I was not interested in the binary of the program, so I limited myself to feeding him to check out virustotal.com - I have heard about clients with trojans that are laid out by Asechka.Su. But this turned out to be clean, and so I moved to the archive with the source code. And here I was in for a surprise.
What is it? And these are in the archive:
- Generated CMakeFiles and Makefiles directory
- Dolphin KDE files .directory
- QtCreator project generated files
- Single object file
- Several Linux backup files ( filename ~ )
- Some empty bar_chunk.png_ files
- Some kind of file YandexPackSetup-ase4ka-20100630.exe, I suspect that some installer of this very Asya
- Archive style.rar with styles (rar inside zip, cool, huh?)
- And the funny thing is: the qutim_vs folder, which contains the compiled program binary, dll with plugins and the config folder with a configured gtalk profile
')
When I saw this, I almost choked on tea. Well, I think, maybe some old account, purely for demonstration or something. But my hands automatically reach for the accountsettings.ini file and in a few minutes I’m already typing my username and password into the garbage. Yes, unexpectedly for myself, I entered into someone else's profile. I did not want to foul or read someone else's mail, I only managed to understand from the first headings that the author is a kind of freelancer and habreuser. I sent on his behalf to him the same letter with the message that the code should be more careful and an invitation to go to the conference of the kutim, where I intended to tell about all the blunders. I marked this letter with an asterisk as important. Half an hour later, having found that he was not reading the mail, I also changed the status in gtalk in the hope that one of my friends would notice and call the owner. After waiting a little more, I left the account.
The next day, the password changed in the evening. At least, I drove it in for the sake of interest during the day, and he was still working.
During this time, I could pull out all the passwords, letters from friends, mistresses, girl / wife from the mail, collect information about all clients, sent materials and everything that could be there. And the fault would be inaccurately created archive. He never came to the conference to us, but today I checked - the archive with the source code on the site changed, almost all of the above-listed trash was cleaned out of it. Actually, that's why I publish this topic without the slightest remorse, in my footsteps no one else will pass.
Young developer, remember: you have to check any of your work fifty times before publishing. Even every time I check my articles: is there anything superfluous in the picture, did I accidentally post a link that was not intended for readers. What to say about the code. Remember also another thing: version control systems are good. They need to store the code and not to store the generated project files, compiled binaries and other heresies. Any version control system can do export, sometimes even (for example, as bzr or git) immediately to the archive. Use it.
And finally, the wish of the author of the program. Change all your passwords. And by the way, do not use such simple ones anymore.
No one guarantees that no one has got into the source code except me, and that all these people are kind, white and fluffy.
Have a nice day and secure releases.
Source: https://habr.com/ru/post/111699/
All Articles