It appears that someone has successfully tricked a few Ubuntu users into install malware on their computers, see here, and here.
Note that this wasn't a security exploit in the sense that a coding bug was exploited. So far as I can tell, it was a bit of social engineering, where someone tricked someone into running a deb to get a cool screen saver, but the deb really only installed a bit of malware. I suppose this is a bit like a trojan, only the screen saver itself wasn't installed.
What this means is:
- Linux on the desktop has reached the phase where it is interesting for people to attack your system.
- The community may now be infiltrated by untrustworthy people, so the 99.999% of the good people will have to be a bit on the look out for the bad guys.
- Users will need to be on gaurd, and question the source of software or other goodies that they are installing a bit more.
This situation is a big of a bummer, as I think as a community we've have the luxury of widespread trust, and being able to sample goodies from around the web. I suppose we'll need to do more to make it easy for good people to get their software into trusted repositories and, more to the point, put effort into ensuring those repositories are trustworthy!
In the meantime, remember, don't grant install privileges to random .debs. You wouldn't give the keys to your house to a stranger, right?