Hi, I have looked into this a bit.
> Some of the source packages were caught on a gateway anti-virus scanner while > downloading. Using a gateway anti-virus scanner for downloads from the Debian archive seems a bit inappropriate, well, paranoid. Checking the signed hashsums would seem a lot better to verify the downloads; if Debian's infrastructure were compromised so viruses could get in *and* be signed, we and you have other problems. > http://ftp.fi.debian.org/[...] If you suspect an issue with the Debian archive, please test against ftp.debian.org. > I looked into one of these, libmail-deliverystatus-bounceparser- > perl_1.531.orig.tar.gz, and found multipart email file containing zip > attachment. Inside this archive is a .pif file (PE32 executable for MS > Windows) > which is detected as Win32.Worm.Mytob.EF. Yes, and the package carries it because it needs it in its operation. Have you read the README file? > This doesn't look like a false positive. It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't. > I hope that the source packages would be sanitized from any actual > malware samples. If a package has to contain virus samples for its operation, then how should anyone sanitize it? You just found one more reason why anti-virus sucks. (JM2C, I am not a Debian release engineer or DD.) Cheers, Nik -- <burny> Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)! PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
signature.asc
Description: Digital signature
