dlc@zog.cs.cmu.edu.UUCP (03/28/87)
[ I know this doesn't belong on net.sources, but I felt it was relevant there
in case if some people do not read comp.sources.d ]
I will try an attempt at a public service. Last year at this time,
someone posted some 'sources' to a utility called relink. When ran, it
was suppoesed to try and salvage the rm'ed blocks for a file that you zapped
accidently from the free list. Of course, the catch was that when unshared
it left a single file in your directory, but I don't remember any details
about it and it altered you .login (or .profile) in a fairly innocent, but
possibly annoying to some, manner. Personally, I found it amusing, but it
did cause much flack and it pointed out potential problems with getting
net software. Yes, I got bitten because the files were large, so I figured
that I would unshar it and THEN look at the source, but it did its dirty
work whilst unsharing. So, I am giving the following advice, which should
be used always. I wanted to post this sooner, but I forgot. Also, if
I am the only person that is/was this naive, then I apologize, but apparently
others were bitten too.
1) Never unshar anything without looking at the shar files first.
Mainly look and see what the unsharing process consists of since
it is difficult to read source code when packed with shar info.
2) Be especially careful of sources that arrive near April 1.
3) After determining that it is safe to unpack the code (no hidden
booby traps), examine the source code fairly carefully before
compiling/installing it. I know from reading the net that some
people get code, compile it and so on and then complain about
bugs, but admit that they do not not C, so can not fix them
on their own. PLEASE, if you get a piece of software and do
not understand it (unfamiliarity with the language or it is just
obscure), try and find someone to take a look at it. A person
can easily put trojan horses into source code that the unsuspecting
and trusting will not notice. I feel certain that if such a thing
occurred, that others on the net would catch it, but something
bad could still happen before this occurred.
That is about all that I could think of for now and I hope it was helpful.
I am not in the slightest trying to be condescending, but only trying to
make sure that no one gets seriously bitten by a posting of 'source' code
on the net.
Oh by the way, have a happy April Fool's day.
-----
Daryl Clevenger, dlc@zog.cs.cmu.edu (ARPA)
pt.cs.cmu.edu!zog.cs.cmu.edu!dlc (UUCP, I think)