Sorry for infected l10n builds.
Channy Yun
This is Channy Yun, the mozilla korean community. As you know,
Linux Mozilla 1.7.6 and Thunderbird 1.0.2 Korean was infected.
This news was slashdotted in
http://linux.slashdot.org/linux/05/09/21/1252213.shtml
Rafael offered public security advisory (September 21, 2005) in
http://www.mozilla.org/security
This infection was related to the hacking of mozilla.or.kr.
http://mozillazine.org/talkback.html?article=6771 . This server was
reinstall of latest linux version and moved to my company's IDC under
firewall and IDS system. (My company is 1st korean portal, Daum.net
owned Lycos.com)
Anyway I'm sorry for my mistake to make infected builds and to disappoint you.
I'll be careful to do it more and more.
I announced this advisory to as following sites:
- Mozilla.or.kr: http://forums.mozilla.or.kr/viewtopic.php?t=4536
- Korean MozillaZine: http://www.mozilla.or.kr/zine/?p=570
- KLDP(Korean Linux Community): http://bbs.kldp.org/viewtopic.php?t=63048
- Gnome Korean User Group : http://gnome.or.kr/forum/viewtopic.php?t=12826
- KDE Korean User Group: http://kde.kldp.org/bbs/viewtopic.php?t=150
Channy Yun
-----------------------------------------
Mozilla Korean Community
http://www.mozilla.or.kr
Zbigniew Braniecki
> Dear l10n collegues,
>
> This is Channy Yun, the mozilla korean community. As you know,
> Linux Mozilla 1.7.6 and Thunderbird 1.0.2 Korean was infected.
> This news was slashdotted in
> http://linux.slashdot.org/linux/05/09/21/1252213.shtml
(...)
> Anyway I'm sorry for my mistake to make infected builds and to disappoint you.
> I'll be careful to do it more and more.
Channy, I'm very happy to read your words. Not just because I think that
you should be sorry - From what I know this was a result of an attack
and everyone could be a victim.
I'm happy that a L10N community slowly creates a groups of social people
that cooperates, helps each other and discuss the issues.
I hope that we'll organize ourselves even better in the future and we
will be able to create a group under the MLP and Pike's guide that will
be able to take some of L10N issues off MoFo developers shoulders and
deal with them by ourselves.
Greetings
Zbigniew Braniecki
--
AviaryPL (http://www.aviary.pl)
Marek Stepien
> This is Channy Yun, the mozilla korean community. As you know,
> Linux Mozilla 1.7.6 and Thunderbird 1.0.2 Korean was infected.
Maybe I'm stating the obvious here, but this wouldn't have happend if
Suite/SeaMonkey and Thunderbird/1.0.x localization had been done via
CVS. So, it's good that Firefox and Thunderbird 1.5 are being
localized via CVS.
But this really needs to be extended to other apps ASAP and *any*
repackaging should be ceased (this includes e.g. ja-JP or he-IL -
problems with Japanese Firefox should be fixed on Mozilla.org side, so
that repackaging is not needed anymore).
In the meantime, all packages not built by mozilla.org
should be scanned for viruses. Because you can't be sure if the "Korean
situation" hasn't happened to other l10n teams.
Gervase Markham
> But this really needs to be extended to other apps ASAP and *any*
> repackaging should be ceased (this includes e.g. ja-JP or he-IL -
> problems with Japanese Firefox should be fixed on Mozilla.org side, so
> that repackaging is not needed anymore).
I'd certainly agree these things should be fixed, although I think there
should be stronger motivations for it than avoiding viruses.
> In the meantime, all packages not built by mozilla.org
> should be scanned for viruses. Because you can't be sure if the "Korean
> situation" hasn't happened to other l10n teams.
That's also true. I believe we are looking internally into why the
safeguards we thought we had in place didn't protect us.
Gerv