Packaging request #2433
The Morris worm was one of the first computer worms distributed via the Internet
A hack was used to compile it.
You can find it here: https://aur.archlinux.org/morris-worm.git
- Assignee set to GNUtoo
For me it looks like a very funny joke.Like any other package, to package it in Parabola as a program that you can run, we would at least need to make sure that:
- Installing and running that package doesn't pose any security risk to the user.
- There are other valid uses cases (like security testing) than attacking people's computers (that are running very old software) without their consent.
- All the software is under a free software license, and that it follows the FSDG guidelines.
Here, the very nature of that program (a worm) makes it very hard to impossible to get people's consent, and makes it very easy to mess up.
For more information about that software, which is part of computing history, can be found here: https://en.wikipedia.org/wiki/Morris_worm
For more information about upstream status:
Updated by oaken-source 12 months ago
I have filed deletion request. This package most likely will be removed from AUR (if it is not useful, as I don't see anything about malware in their guidelines).
Close this issue.
It seems that the package is gone from the AUR now...
While I agree that this packaging request was ill-conceived, I do believe that deleting that package from the AUR was a mistake. It can still be useful for demonstration purposes, research and education.
Even though the software is basically a virus -- or maybe especially becaus it's a virus -- being able to read the source and understand its design and behaviuor can be a benefit. Please be more considerate, and less hasty with your deletion requests in the future.
I think it was a good idea to delete it from AUR because many arch users can very easily (with a pacman wrapper) install software listed on AUR.
So for them it's not much different than pacman -S morris-worm.
So only the FSDG compliance issue may not apply to arch, and all the other concerns are still valid for them.
While the packaging request is really funny, we also have between 400 and 500 other issues to fix in all the issue trackers.
Some Parabola developers (like me) are also involved in other Free software projects as well.
So while there might be some corner case uses cases, we also have much more important things to do than seriously discussing about packaging a worm in Archlinux and Parabola.
Note that here we're only talking about packaging that software in an executable form.On the top of my head, all the corner case uses case that I can think of do require:
- To read the source code of the worm
- To make sure that it doesn't harm you or other people.
For the latter it would probably require to either fix the source code or make sure that people using that really understand what they're doing and took appropriate measures not to harm others.For the uses cases:
- To use it as a tool to asses security, it would need to be modified not to infect the (very old) operating systems but only to probe for the vulnerability in an harmless way. As far as I know, security tools like metasploit don't contain worms that automatically replicate themselves. So it's much easier to make sure that you get people's consent when using a tool like that.
- To be used as a demonstration in a museum, or some other similar environment, you would probably need to make sure that it doesn't infect other people's computer without their consent.
In any case user could install it just for fun, to test it, without really understanding the implications. We would need to make sure that this doesn't happen.
GNU/Linux distributions like Kali Linux (which is not FSDG compliant) don't have any worms either in their package list
There is also the fact that anyone who wanted to could download and compile the
source so there is no real reason to package it. It's not like we are
disappearing it from the world. We just aren't going to leave a handgrenade
lying around where some unsuspecting person might wonder what it is and does
and pull the pin.
In order to be eligible to upload to the AUR, software must meet the rules of submission. Whoever uploaded morris-worm presumably failed to think about the aspect that requires the package be useful to more than one person.
The AUR is not the appropriate place to upload interesting museum pieces of computing history. It is the appropriate place to upload software that other Arch Linux users (and by extension other pacman-using derivatives) can install and use.
The package had no use case and was therefore deleted. It's pretty open and shut. I'm actually surprised it spawned so much discussion both here, there, and in Arch's IRC channels!