Re: Ubuntu what if questionable repository..
Many deb packages have pre/post-install scripts to perform setup and configuration tasks. They are run automatically as part of the installation process, so once you've entered the password to allow the package to install, the scripts can do anything.
In this case, the malicious uploader had edited one of the scripts to include a command that would remove everything from the drive. So, once the user had issued the password to install, the script did its dastardly deed.
It's actually not hard to look at the scripts in a deb package with an ordinary unarchiving tool or a package such as gdebi, if you're concerned about such things. I managed to get hold of a copy of one of these maliciously-altered packages and had it on an encrypted partition for a while - purely out of morbid curiosity, or perhaps as an Exhibit A in case I came across one of those "Linux is totally secure" people in real life. I do remember showing it to my son, who used Ubuntu for a couple of years.
BACKUPS are unsexy — until you discover you should have done one yesterday.
Spare your nerves and do one before you upgrade or install.
Bookmarks