On 2024-03-31 07:19, der.hans via PLUG-discuss wrote:
> Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
> > Among the many questions that need to be asked:
> >
> > 1. How can we trust source tarballs / archive files to be 100%
correct versus
> > source code?
>
> Reproducible builds help with that.
Reproducible builds would not have necessarily caught this if it were
embedded into the source code itself. The only reason this one was
caught is because the attacker was a bit sloppy and injected it into the
compiler configs in the source tarball, and relied on downstream devs
being lazy (insteading of doing a git clone, they just download the
tarball).
Had he just embedded it into the source code itself, it probably would
have never been caught until many years later.
> > 2. Without looking at the source code line-by-line, how do we
detect supply
> > chain attacks before they are propagated to end users?
>
> Maybe peer review and audits as the code goes in. That'll take a lot of
> effort, especially for small projects.
Hindsight is 20/20, and it looks like this specific project suffered
from developer burnout. Which is all too common. I'm reminded of a
certain XKCD comic, and i think we all know how much the modern world
relies on this poor guy from Nebraska:
https://xkcd.com/2347/
The burnout (and subsequent personal attacks) led to a new maintainer
being brought on board --- with the original developer under unnecessary
pressure to do so --- and this new maintainer worked to gain significant
trust before gaining the keys to the kingdom and injecting the back door.
Up until now I'm not sure many people strongly considered this a threat
model, but here we are.
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)