On Thu, Mar 04, 2021 at 11:16:25AM -0500, Celejar wrote: [...] > > - Sometime 2017 [1], Microsoft put out a version of Visual Studio > > which baked "phone home" functionality into its compiled "products". [...] > > I call this pattern "Emergent Evil". > > Outrageous, certainly - this sort of thing is one of the reasons I > use linux and avoid Microsoft products to the extent I find practical. > But I don't consider this a "build-chain attack." Well, it's the compiler injecting unexpected functionality into the compilee -- i.e. half to three quarters Thompson. The part that I find more interesting is the "emergent evil" thing. Somehow the techies found that it is OK to do that and they did, in the best of their intentions. They are not the evil ones. I don't think some manager up the ladder told them to do it. It must be the whole corporate culture, i.e. some kind of emergent behaviour. At the end, trust is a social thing. I trust Debian, because. > > - NPM buildchain attacks [...] > Agreed - this sort of thing is scary. the one example I provided is special, because it was extremely refined: someone taking over an orphaned npm package, and laser-targeting one product's build chain. > I know I can't avoid the risk > entirely, but this is one of the reasons I try hard to limit my use of > software to stuff in the repos. I understand it's no magic bullet > against this type of thing, but in my (not very informed) judgment, it's > less likely to happen to stuff that Debian is vetting. I.e., I'm hoping > that all those hoops that Debian makes packages jump through, which > prevent stuff I do want from entering the repos, will work here in my > favor ;) That's my approach, too; but I realise that trust is, at the bottom, a social thing. Technology can only be a tool in this. The "classical" distro way is becoming more and more difficult; for "monsters" like Chrome, the distribution can't vet everything, and as software becomes more and more entangled (with version dependencies on the newest micro-version), people resort more and more to docker images, flatpaks and what have you. Cheers - t
Attachment:
signature.asc
Description: Digital signature