From: orbea <orbea@riseup.net>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo
Date: Mon, 1 Apr 2024 09:21:13 -0700 [thread overview]
Message-ID: <20240401092113.7018fbec@Akita> (raw)
In-Reply-To: <gt4aog3m6xzoul2sd7ugm3txx77yslnyrc42wwkww3mgkagezl@hvu3dglaqwvn>
On Mon, 1 Apr 2024 12:01:13 -0400
Kenton Groombridge <concord@gentoo.org> wrote:
> On 24/04/01 08:40AM, orbea wrote:
> > On Mon, 1 Apr 2024 11:14:15 -0400
> > Kenton Groombridge <concord@gentoo.org> wrote:
> >
> > > On 24/03/31 12:13PM, Eddie Chapman wrote:
> > > > Eli Schwartz wrote:
> > > > > On 3/29/24 11:07 PM, Eddie Chapman wrote:
> > > > >
> > > > >> Given what we've learnt in the last 24hrs about xz utilities,
> > > > >> you could forgive a paranoid person for seriously considering
> > > > >> getting rid entirely of them from their systems, especially
> > > > >> since there are suitable alternatives available. Some might
> > > > >> say that's a bit extreme, xz-utils will get a thorough audit
> > > > >> and it will all be fine. But when a malicious actor has been
> > > > >> a key maintainer of something as complex as a decompression
> > > > >> utility for years, I'm not sure I could ever trust that
> > > > >> codebase again. Maybe a complete rewrite will emerge, but
> > > > >> I'm personally unwilling to continue using xz utils in the
> > > > >> meantime for uncompressing anything on my systems, even if
> > > > >> it is done by an unprivileged process.
> > > > >
> > > > >
> > > > > It suffices to downgrade to the version of xz before a social
> > > > > engineering attack by a malicious actor to gain
> > > > > maintainership of the xz project.
> > > > >
> > > > > Have you been linked to this yet?
> > > > > https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html
> > > > >
> > > > > --
> > > > > Eli Schwartz
> > > > >
> > > >
> > > > Yes I saw that yesterday. It only increased my level of concern
> > > > about the project ten-fold rather than decreased it,
> > > > particularly because of "he has been helping a lot off-list and
> > > > is practically a co-maintainer already".
> > > >
> > > >
> > >
> > > I think it's important to realize that this could have potentially
> > > happened to any number of various open source projects, not just
> > > xz-utils. Simply ripping it out and replacing it is not enough to
> > > prevent these kinds of issues from happening in the future.
> > >
> > > There is a major shifting of perspectives as a result of this
> > > unfortunate compromise. Right now there are serious considerations
> > > about banning (or otherwise auditing) binary blobs in some
> > > projects. There are talks about banning the use of older build
> > > systems like autotools in favor of ones more easily readable and
> > > auditable.
> >
> > Talk about throwing the baby out with the bathwater...
> >
>
> Let's not shoot the messenger here. :)
>
> I cited this specific example to highlight the shared intent behind
> positive changes to auditing code not just in the program but also its
> build system. I didn't mean to imply that this was a great solution.
Thanks for clarifying that, it wasn't clear to me when I read the
earlier e-mail.
Personally I think the long term solution is to identify critical code
bases that have a low bus factor before the bad actors do and make a
concentrated community effort to help audit and maintain these code
bases.
>
> > Its fully possible to write autotools build systems which are simple
> > and easy to audit. Depending on what blob does it may be far from
> > trivial or advisable to get rid of it.
> >
> > This attack as already has been clearly stated is social, not
> > technical. If xz-utils used meson or cmake instead it would of not
> > changed the situation.
> >
> > > Ultimately what is happening is a reflection on how we audit
> > > critical system components and contributions made to them. Change
> > > is not going to happen over night.
> > >
> > > We saw a similar shift with OpenSSL's heartbleed, which
> > > ultimately led to positive changes in code quality and improving
> > > their vulnerability reporting process.
> > >
> > > There is some good to come of this event, but it's important to
> > > recognize what went wrong and how open source can improve as a
> > > whole.
> >
> >
>
next prev parent reply other threads:[~2024-04-01 16:21 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-30 3:07 [gentoo-dev] Current unavoidable use of xz utils in Gentoo Eddie Chapman
2024-03-30 3:43 ` orbea
2024-03-30 7:06 ` Dale
2024-03-30 10:47 ` [gentoo-dev] " Duncan
2024-03-30 11:32 ` [gentoo-dev] " Rich Freeman
2024-03-30 14:57 ` Eddie Chapman
2024-03-30 15:02 ` Michał Górny
2024-03-30 15:17 ` Eddie Chapman
2024-03-30 15:29 ` Michał Górny
2024-03-30 15:59 ` Eddie Chapman
2024-03-30 16:07 ` Dale
2024-03-30 17:13 ` Re[2]: " Stefan Schmiedl
2024-03-30 17:36 ` Eddie Chapman
2024-03-31 1:41 ` Thomas Gall
2024-03-30 23:49 ` Eddie Chapman
2024-03-31 1:36 ` Eli Schwartz
2024-03-30 15:23 ` orbea
2024-03-30 15:14 ` Rich Freeman
2024-03-30 17:19 ` Eddie Chapman
2024-03-31 1:25 ` Sam James
2024-03-31 1:33 ` Eli Schwartz
2024-03-31 11:13 ` Eddie Chapman
2024-03-31 11:59 ` Matt Jolly
2024-04-01 7:57 ` Eddie Chapman
2024-04-01 14:50 ` Eli Schwartz
2024-04-02 8:43 ` Eddie Chapman
2024-04-02 19:46 ` Eli Schwartz
2024-04-02 20:19 ` Eddie Chapman
2024-04-01 14:55 ` Michał Górny
2024-04-02 9:02 ` Eddie Chapman
2024-04-01 15:14 ` Kenton Groombridge
2024-04-01 15:40 ` orbea
2024-04-01 16:01 ` Kenton Groombridge
2024-04-01 16:21 ` orbea [this message]
2024-04-01 18:51 ` Kévin GASPARD DE RENEFORT
2024-04-01 20:07 ` James Le Cuirot
2024-04-02 6:32 ` Joonas Niilola
2024-03-31 11:32 ` stefan11111
2024-04-01 14:56 ` Azamat Hackimov
2024-04-02 19:32 ` Eddie Chapman
2024-04-03 11:47 ` [gentoo-dev] " Duncan
2024-04-03 12:14 ` Sam James
2024-04-03 15:30 ` [gentoo-dev] " Eddie Chapman
2024-04-03 16:40 ` Michael Orlitzky
2024-04-04 3:20 ` [gentoo-dev] " Duncan
2024-04-04 3:49 ` [gentoo-dev] " Eli Schwartz
2024-04-04 8:32 ` Sam James
2024-04-04 8:34 ` Kévin GASPARD DE RENEFORT
2024-04-04 14:38 ` Eddie Chapman
2024-04-04 14:24 ` Eddie Chapman
2024-04-06 11:57 ` Eddie Chapman
2024-04-06 12:15 ` Ulrich Mueller
2024-04-06 12:34 ` Roy Bamford
2024-04-06 14:04 ` Fabian Groffen
2024-04-07 6:44 ` Eddie Chapman
2024-04-06 16:15 ` Sam James
2024-04-07 11:24 ` Eddie Chapman
2024-04-11 5:21 ` Joonas Niilola
2024-04-12 7:18 ` [gentoo-dev] " Duncan
2024-04-13 7:10 ` [gentoo-dev] " Eddie Chapman
2024-04-03 12:22 ` [gentoo-dev] " Kévin GASPARD DE RENEFORT
2024-04-03 12:26 ` Kévin GASPARD DE RENEFORT
2024-04-04 1:41 ` Duncan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240401092113.7018fbec@Akita \
--to=orbea@riseup.net \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox