From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-101485-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 597E1158041
	for <garchives@archives.gentoo.org>; Sat, 30 Mar 2024 15:14:21 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 16BE1E2A0A;
	Sat, 30 Mar 2024 15:14:17 +0000 (UTC)
Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com [209.85.208.178])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B2A0DE2A04
	for <gentoo-dev@lists.gentoo.org>; Sat, 30 Mar 2024 15:14:16 +0000 (UTC)
Received: by mail-lj1-f178.google.com with SMTP id 38308e7fff4ca-2d485886545so46277971fa.2
        for <gentoo-dev@lists.gentoo.org>; Sat, 30 Mar 2024 08:14:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711811654; x=1712416454;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=AlE49UL8e82bIy7T0abVoSPf0GcsnDg5EwfLoiLTr6k=;
        b=n+Y2V0cEkA2nu6jAzaUBchc80IKrZOxDAhtRVBSich54DKPLTBysnG6l7ZDDCApcNg
         j8+NHL5mVfksG1lHBHLE6UUZrfImtsF9sxZQ7k7OcsWPGDzTsxEl07vsN++A39Vrue2x
         MqZQMHBMzhP2kds9DTl1hy/O9YE4jom3AQ9aTdhSlyRXEY6Fv1CIRMHZTNffF7wZ97Eh
         rLKKuu14AMSJ/ju+oquO5l8upX4j3bHJwZ6tiEbT20BRPfWBnHLQ4hfMiSKIJkEGYKtr
         1bm1+4E03bhmm4fbpqJ2eX6/UjsFrIgLhjn0AqVi/FNibGBMh61s36t4BAgFOgC9Ife2
         EM0A==
X-Gm-Message-State: AOJu0YwMrUnYpurYcNwn4GcgWO+ttfF9RP6vfDToT2K0/Vp6FHPqHsH/
	6wgH1P1+lban4szV/UtbUI3Mq10QRF3StxvtI4mvlrQ0gJ25e5po+qaxEhvzgXMKP94mGV0juAH
	ADelHuXVa9bzKNjmVHapRIbscau4FyQnW
X-Google-Smtp-Source: AGHT+IGL4rdB56aDub8zdvvwAcZD7oqViKHEAo21mEPyj1WifUJBjuKewDJterc2eSLNycy0ldq1VQKnl1AQHIrEnbM=
X-Received: by 2002:a2e:874e:0:b0:2d4:6a34:97bf with SMTP id
 q14-20020a2e874e000000b002d46a3497bfmr4265096ljj.49.1711811654263; Sat, 30
 Mar 2024 08:14:14 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
References: <a2e3bb067a078bffaa860bdf5e11977d.squirrel@ukinbox.ecrypt.net>
 <20240329204315.3b29449b@Akita> <1671d927-55d5-6f01-2b54-b33981406945@gmail.com>
 <CAGfcS_=iOAybWzgFB_b7GaSzp2jggZn9GQqngNEeV9fLD14nsg@mail.gmail.com> <d2aab38197a2c692bf240210bbf2f784.squirrel@ukinbox.ecrypt.net>
In-Reply-To: <d2aab38197a2c692bf240210bbf2f784.squirrel@ukinbox.ecrypt.net>
From: Rich Freeman <rich0@gentoo.org>
Date: Sat, 30 Mar 2024 11:14:04 -0400
Message-ID: <CAGfcS_=3HK0F3F+oc+cfjx+-5MFQTQ48uughUr641DTh4sGSLA@mail.gmail.com>
Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 9718b060-7462-487a-a189-9be90f081eb5
X-Archives-Hash: 37eb1eaade5d3534576cb88bc0878ce6

On Sat, Mar 30, 2024 at 10:57=E2=80=AFAM Eddie Chapman <eddie@ehuk.net> wro=
te:
>
> No, this is the the bad actor *themselves* being a
> principal author of the software, working stealthily and in very
> sophisticated ways for years, to manoeuvrer themselves and their software
> into a position of trust in the ecosystem whereby they were almost able t=
o
> pull off the mother of all security nightmares for the world.

This is entirely speculative at this point.  It isn't certain that the
author is the one behind the exploit, and if they were, it is not
known for how long their intentions were malicious, or even what their
motivations were.  It is also unclear what pseudonymous accounts with
what projects are associated with the attacker.

You could end up being right, but it probably makes sense to at least
give things a few days for more facts to become available, before
making decisions to retool the entire distro.

I think the bigger challenge is what could have been done to prevent
this sort of problem in the first place.  There are so many projects
that end up with code running as root that have one or two people
taking care of them, and if somebody does the work to become one of
those maintainers, there aren't many people looking out for problems.

I think one thing that would help here is for distros to have better
ways to ensure that the code in the scm matches the code in the
tarball.  It is pretty common for releases to be manipulated in some
way (even if only to gpg sign them, but often to switch from commit
IDs to version numbers and so on), and that can be a place where stuff
gets added.  That still says nothing about obfuscated code, which this
also involved.

--=20
Rich