From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 844F8158041 for ; Sun, 31 Mar 2024 12:33:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 25CF0E2AD2; Sun, 31 Mar 2024 12:33:35 +0000 (UTC) Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BAD54E2ACD for ; Sun, 31 Mar 2024 12:33:34 +0000 (UTC) Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-2d715638540so27691871fa.3 for ; Sun, 31 Mar 2024 05:33:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711888412; x=1712493212; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kYCcv6iU3hbqpL5iwEQxQVfnNHFCnBdCZXrMkcnbfJA=; b=vOieqw0T9D0y4xePrFCR+1+44aU1yNXTYAxmojo+IljnI8C1H6F7lpgfRfLTggdHD0 VIu0HeNf/FnQ9/3FQTetFUhid+oecNqdEcS131lB3xw5aP7wrbBjKt9OywhSOu4AkFgh wT52SmxW4BdS5xAGeHA76qJ7AHmWp6VY6hsMpjD/B3igoOWjzjQEqlx/ucdhqz8FPKNg A0XafwzeYae2nOYWiJDegU1A0q7bZpIdFDFpEkwoBFLB6aTZQKdbQ5w43oLGRxs8zou2 UUdx0X6ZmqvlFGKClYyjZcMQoBQE8NyjGSfgTU7/9OVUuKQAxdskpdzjKJ70IpKRfLPb 0yxA== X-Gm-Message-State: AOJu0YwZX2F6Vtjs71IoCYarlyL5fvt+08PXRFYv2nQ7uzaMcEo3aFiH OLMZiytYYWY40Jpq1KAld8Mel229sSrWZbn5MUpyOe+8bm3G236e8a5zurikgy4ZVCvQ/17HL2+ P35o1DrYzgFQJhJja3ekZnuYqbFy3LWVV X-Google-Smtp-Source: AGHT+IH4zJmPXBEeioRXsiDBhh/ZxWl2+sVQN78slKWyvAmOLnknE59REBggC6TZ0QXV+UCsafW0rB7cJTaTluSnSIM= X-Received: by 2002:a05:651c:1043:b0:2d4:6bab:eafe with SMTP id x3-20020a05651c104300b002d46babeafemr4308735ljm.48.1711888412216; Sun, 31 Mar 2024 05:33:32 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: In-Reply-To: From: Rich Freeman Date: Sun, 31 Mar 2024 08:33:20 -0400 Message-ID: Subject: [gentoo-user] Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo To: gentoo-user@lists.gentoo.org Cc: stefan11111@shitposting.expert Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 6b7784e8-6b95-47eb-ba4a-1e05ee7ee52c X-Archives-Hash: cdaf52f63feaa23b3f7bdd7f621cffa0 (moving this to gentoo-user as this is really getting off-topic for -dev) On Sun, Mar 31, 2024 at 7:32=E2=80=AFAM stefan11111 wrote: > > Had I seen someone say that a bad actor would spend years gaining the > trust of FOSS > project maintainers in order to gain commit access and introduce such > sophisticated > back doors, I would have told them to take their meds. > This is insane. It makes quite a bit of sense though. For a low-activity FOSS project, how much manpower does it take to gain a majority share of the governance? In this case it is one person, but even for a big project (such as Gentoo) I suspect that 3-4 people working full time could probably hit upwards of 50% of the commit volume. That doesn't have to be 3-4 "Gentoo developers." It could be 3-4 human beings with 1 admin assistant who manages 50 email addresses that the commits get spread across, and they sign up as 50 Gentoo developers and get 50 votes for the Council (and probably half the positions there if they want them), the opportunity to peer review "each other's" contributions, and so on. I just use Gentoo as an example as we're all familiar with it and probably assume it couldn't happen here. As you go on, the actual targets are likely to be other projects... > If this happened to something like firefox, I don't think anyone would > have found out. > No one bats an eye if a website loads 0.5s longer. It seems likely that something like this has ALREADY happened to firefox. It might also happen with commercial software, but the challenge there is HR as you can't just pay 1 person to masquerade as 10 when they all need to deal with payroll taxes. We're going on almost 20 years since the Snowden revelations, and back then the NSA was basically doing intrusion on an industrial scale. You'd have dev teams building zero days and rootkits, sysadmin teams who just administrate those back doors to make sure there are always 2-3 ways in just in case one gets closed, SMEs who actually make sense of the stolen data, rooms full of engineers who receive intercepted shipments of hardware and install backdoors on them, and so on. We're looking at what probably only one person can do if they can dedicate full time to something like this. Imagine what a cube farm full of supervised developers with a $50M budget could do, and that is pocket change to most state actors. The US government probably spends more than that in a year on printer paper. --=20 Rich