From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo
Date: Sat, 30 Mar 2024 11:14:04 -0400 [thread overview]
Message-ID: <CAGfcS_=3HK0F3F+oc+cfjx+-5MFQTQ48uughUr641DTh4sGSLA@mail.gmail.com> (raw)
In-Reply-To: <d2aab38197a2c692bf240210bbf2f784.squirrel@ukinbox.ecrypt.net>
On Sat, Mar 30, 2024 at 10:57 AM Eddie Chapman <eddie@ehuk.net> wrote:
>
> No, this is the the bad actor *themselves* being a
> principal author of the software, working stealthily and in very
> sophisticated ways for years, to manoeuvrer themselves and their software
> into a position of trust in the ecosystem whereby they were almost able to
> pull off the mother of all security nightmares for the world.
This is entirely speculative at this point. It isn't certain that the
author is the one behind the exploit, and if they were, it is not
known for how long their intentions were malicious, or even what their
motivations were. It is also unclear what pseudonymous accounts with
what projects are associated with the attacker.
You could end up being right, but it probably makes sense to at least
give things a few days for more facts to become available, before
making decisions to retool the entire distro.
I think the bigger challenge is what could have been done to prevent
this sort of problem in the first place. There are so many projects
that end up with code running as root that have one or two people
taking care of them, and if somebody does the work to become one of
those maintainers, there aren't many people looking out for problems.
I think one thing that would help here is for distros to have better
ways to ensure that the code in the scm matches the code in the
tarball. It is pretty common for releases to be manipulated in some
way (even if only to gpg sign them, but often to switch from commit
IDs to version numbers and so on), and that can be a place where stuff
gets added. That still says nothing about obfuscated code, which this
also involved.
--
Rich
next prev parent reply other threads:[~2024-03-30 15:14 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-30 3:07 [gentoo-dev] Current unavoidable use of xz utils in Gentoo Eddie Chapman
2024-03-30 3:43 ` orbea
2024-03-30 7:06 ` Dale
2024-03-30 10:47 ` [gentoo-dev] " Duncan
2024-03-30 11:32 ` [gentoo-dev] " Rich Freeman
2024-03-30 14:57 ` Eddie Chapman
2024-03-30 15:02 ` Michał Górny
2024-03-30 15:17 ` Eddie Chapman
2024-03-30 15:29 ` Michał Górny
2024-03-30 15:59 ` Eddie Chapman
2024-03-30 16:07 ` Dale
2024-03-30 17:13 ` Re[2]: " Stefan Schmiedl
2024-03-30 17:36 ` Eddie Chapman
2024-03-31 1:41 ` Thomas Gall
2024-03-30 23:49 ` Eddie Chapman
2024-03-31 1:36 ` Eli Schwartz
2024-03-30 15:23 ` orbea
2024-03-30 15:14 ` Rich Freeman [this message]
2024-03-30 17:19 ` Eddie Chapman
2024-03-31 1:25 ` Sam James
2024-03-31 1:33 ` Eli Schwartz
2024-03-31 11:13 ` Eddie Chapman
2024-03-31 11:59 ` Matt Jolly
2024-04-01 7:57 ` Eddie Chapman
2024-04-01 14:50 ` Eli Schwartz
2024-04-02 8:43 ` Eddie Chapman
2024-04-02 19:46 ` Eli Schwartz
2024-04-02 20:19 ` Eddie Chapman
2024-04-01 14:55 ` Michał Górny
2024-04-02 9:02 ` Eddie Chapman
2024-04-01 15:14 ` Kenton Groombridge
2024-04-01 15:40 ` orbea
2024-04-01 16:01 ` Kenton Groombridge
2024-04-01 16:21 ` orbea
2024-04-01 18:51 ` Kévin GASPARD DE RENEFORT
2024-04-01 20:07 ` James Le Cuirot
2024-04-02 6:32 ` Joonas Niilola
2024-03-31 11:32 ` stefan11111
2024-04-01 14:56 ` Azamat Hackimov
2024-04-02 19:32 ` Eddie Chapman
2024-04-03 11:47 ` [gentoo-dev] " Duncan
2024-04-03 12:14 ` Sam James
2024-04-03 15:30 ` [gentoo-dev] " Eddie Chapman
2024-04-03 16:40 ` Michael Orlitzky
2024-04-04 3:20 ` [gentoo-dev] " Duncan
2024-04-04 3:49 ` [gentoo-dev] " Eli Schwartz
2024-04-04 8:32 ` Sam James
2024-04-04 8:34 ` Kévin GASPARD DE RENEFORT
2024-04-04 14:38 ` Eddie Chapman
2024-04-04 14:24 ` Eddie Chapman
2024-04-06 11:57 ` Eddie Chapman
2024-04-06 12:15 ` Ulrich Mueller
2024-04-06 12:34 ` Roy Bamford
2024-04-06 14:04 ` Fabian Groffen
2024-04-07 6:44 ` Eddie Chapman
2024-04-06 16:15 ` Sam James
2024-04-07 11:24 ` Eddie Chapman
2024-04-11 5:21 ` Joonas Niilola
2024-04-12 7:18 ` [gentoo-dev] " Duncan
2024-04-13 7:10 ` [gentoo-dev] " Eddie Chapman
2024-04-03 12:22 ` [gentoo-dev] " Kévin GASPARD DE RENEFORT
2024-04-03 12:26 ` Kévin GASPARD DE RENEFORT
2024-04-04 1:41 ` Duncan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGfcS_=3HK0F3F+oc+cfjx+-5MFQTQ48uughUr641DTh4sGSLA@mail.gmail.com' \
--to=rich0@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox