Re: security: check xc-utils versions

Top Page
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Steve Litt via PLUG-discuss
To: plug-discuss
CC: Steve Litt, dng
Subject: Re: security: check xc-utils versions
der.hans via PLUG-discuss said on Sun, 31 Mar 2024 07:19:43 +0000 (UTC)

>Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
>> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>> While I'm not sure that this specific vulnerability led to much harm
>> (who knows yet?), we're going to be feeling the after-shocks in the
>> open source and security industries for a long time.
>> Among the many questions that need to be asked:
>> 1. How can we trust source tarballs / archive files to be 100%
>> correct versus source code?
>Reproducible builds help with that.
>> 2. Without looking at the source code line-by-line, how do we detect
>> supply chain attacks before they are propagated to end users?
>Maybe peer review and audits as the code goes in. That'll take a lot of
>effort, especially for small projects.
>> 3. How do we properly vet source code contributors to make sure they
>> aren't going to perform supply chain attacks?
>It's going to be a rough Summer for some of us.

A couple Niklaus Wirth quotes from

“The art in engineering is not so much to make something very
complicated, The art is to make a complicated problem simpler.”

“When you develop a program, it’s much harder to devise a simple
solution than complicated ones. Unfortunately, our computers
are terribly uncritical. They swallow anything.”

Yes, it's easier to incorporate yet another library that's really a
tree of dependencies, and the computer will swallow it. For the last
several years, the problems caused by the complexification caused by
willy-nilly use of Other People's Code (OPC) is on full display.

We can audit. We can peer-review. We can crack the whip on source code
providers, but as long as we increasingly complexificate our software
with ever more layers of abstraction, auditing, peer-review and
cracking the whip are just kicking the can down the road.



Note: I'm copying the Devuan project mailing list on this post.
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings: