On 2024-03-31 07:19, der.hans via PLUG-discuss wrote:
 > Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
 > > Among the many questions that need to be asked:
 > >
 > > 1. How can we trust source tarballs / archive files to be 100% 
correct versus
 > > source code?
 >
 > Reproducible builds help with that.

Reproducible builds would not have necessarily caught this if it were 
embedded into the source code itself. The only reason this one was 
caught is because the attacker was a bit sloppy and injected it into the 
compiler configs in the source tarball, and relied on downstream devs 
being lazy (insteading of doing a git clone, they just download the 
tarball).

Had he just embedded it into the source code itself, it probably would 
have never been caught until many years later.

 > > 2. Without looking at the source code line-by-line, how do we 
detect supply
 > > chain attacks before they are propagated to end users?
 >
 > Maybe peer review and audits as the code goes in. That'll take a lot of
 > effort, especially for small projects.

Hindsight is 20/20, and it looks like this specific project suffered 
from developer burnout. Which is all too common. I'm reminded of a 
certain XKCD comic, and i think we all know how much the modern world 
relies on this poor guy from Nebraska: https://xkcd.com/2347/

The burnout (and subsequent personal attacks) led to a new maintainer 
being brought on board --- with the original developer under unnecessary 
pressure to do so --- and this new maintainer worked to gain significant 
trust before gaining the keys to the kingdom and injecting the back door.

Up until now I'm not sure many people strongly considered this a threat 
model, but here we are.





---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss