This is not just a rant. As of two days ago, there is a hostile version of PuTTY in the wild.[1][2] It's on some mirror sites distributing open source software. It steals login credentials. Right now, it's essential to be able to tell the good one from the bad ones, and it's not easy.

[1] http://www.symantec.com/connect/blogs/check-your-sources-tro... [2] http://blogs.cisco.com/security/trojanized-putty-software

This really should be a top level comment. I was unaware of this as an issue, and a couple of HN posts on this topic got no traction. Thanks for bringing it up!

> As of two days ago, there is a hostile version of PuTTY

A small correction -- from the symantec blog post:

"this file has been in the wild since late 2013 and it was first seen in Virus Total around the same time. However, we have only seen this sample broadly distributed recently. Distribution in 2013 was minimal, and we saw a gap of a year and a half before it reappeared again."

Interesting, this should be in the original article as well! I used Putty a lot until I switched my desktop to Linux full time.

The original article is from over a year ago. It wasn't in response to anything in particular, but it doesn't have to be.

If you see something potentially vulnerable, you don't have to wait until it's been exploited to report it.

I would argue this is a problem because of the lack of an actual package manager for the distros putty is used on.

If there was a formal package management system in place for these OSs this would have been less of a problem from the beginning, but they're only getting around to it now as I understand it.

> but it is hard to force that on someone

Everyone who distributes exe files should include some form of authentication otherwise you are just sloppy. In all likelihood he doesn't check authenticity of software on his end so you can imagine other risks as well.