* On 2024 01 Apr 23:41 -0500, tomas@tuxteam.de wrote: > On Mon, Apr 01, 2024 at 03:19:18PM -0500, Nate Bargmann wrote: > > * On 2024 01 Apr 14:01 -0500, Andy Smith wrote: > > [...] > > > Until now, who anticipated this? I'm sure there are security > > researchers who have and it's likely that I'm not well-read enough on > > this topic to have seen it discussed. How many people did it occur to > > that when A links to B and B links to C that C can create a > > vulnerability in A? That is what I understand happened here. > > This pattern has been seen in other contexts. Here [1] is a good review > of "supply chain attacks", which unsurprisingly happen most often in > decentrally managed package distributions which at the same time have > "production environments" where time-to-deploy is the main mover: npm, > PyPi and RubyGems. If you don't have the time to even consider what the > hundreds of packages you're ploughing into your app actually do, this > is no surprise. If you have Rust and Go in mind, I am hugely skeptical of both, not because of the languages themselves but because both, from what I see, do not lend themselves easily to a set of known curated packages that can be used for development. Noted Debian developer Ian Jackson wrote a blog post back on 21 March detailing the extra steps necessary to *only* use Debian Rust packages: https://diziet.dreamwidth.org/18122.html > So yes, the pattern was known. It was, up to now, pretty unusual in > this context. But the deeper "the stack" becomes... (so I think Nate > had a point. That Andy read that as a "systemd insult" is IMHO > infortunate, because it clogs a potentially useful discussion. But > there you are). I think Andy was responding to Jacob Bachmeyer's use of "katamari" to describe systemd/libsystemd which he uses again in: https://lists.gnu.org/archive/html/automake/2024-04/msg00015.html As far as I know, Jacob is not on this list so discussing his opinion is a bit unfair to him. > The next level is using a package phantasized by your trusty "AI" [2] > counsellor (and whose name was predicted by a malicious actor, because > "AI" tends to phantasize names consistently). Note that this one was > just (yet?) a proof of concept. I am guessing that the Jia Tan actor(s) are watching the response to this event carefully. I doubt they have been deterred. - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
Attachment:
signature.asc
Description: PGP signature