[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: making Debian secure by default

On Mon, Apr 01, 2024 at 01:45:07AM +0000, Andy Smith wrote:
> Hi,
> 
> On Sun, Mar 31, 2024 at 07:19:41PM -0500, Nicholas Geovanis wrote:
> > I would think A Smith's comment here was directed to this interesting bit
> > from the report he cited:
> > 
> > Given the activity over several weeks, the committer is either directly
> > involved or there was some quite severe compromise of their
> > system. Unfortunately the latter looks like the less likely explanation,
> > given
> > they communicated on various lists about the "fixes" mentioned above.
> > 
> > End quote.
> 
> I don't really want to go much further into this as the person I
> responded to was clearly further upset by what I said, but all I was
> suggesting was not getting too worked up about things that are so
> far out of one's control.
> 
> To bring this sort of thing somewhat more under humanity's control
> is going to take some very large scale reworking of how the open
> source software supply chain works, possibly even how society works.
> It's not something that can be achieved by an end user with a best
> practices document or a security checklist. Unless step one on the
> list is "give up general purpose computing."
> 
> In the xz case the further you go looking for a root cause the wider
> the implications are:
> 
> Q: Why was there a back door in sshd?
> A: Because some malicious code was linked to it.
> 
> Q: How did malicious code get linked to it?
> A: Its lzma dependency was compromised.
> 
> Q: Who compromised the lzma dependency?
> A: One of the developers of that project who had full rights to
> commit code to it.
> 
> Q: Why did a persona that no one knows anything about get full
> access rights to a code repository that is linked to openssh?
> A: Because they did some work over a period of years that looked
> genuine and the single other developer who was overwhelmed with work
> decided to give them access based on that
> 
> Q: Why did lzma, a dependency of openssh, have a single overwhelmed
> developer?
> A: Because no one felt the need to pay a team of developers to work
> on it or audit work on it.
> 

I love this. It's a great example of the "5 whys" (I know one of the 5
here was technically a "how", but could have just as easily been
rephrased as a "why").

The final answer isn't comforting, but it certainly provides a clear and
actionable path: "ensure critical projects aren't understaffed."

It seems like an extremely obvious thing, the sort of thing that we
wouldn't let happen. But then this XKCD from a year or two ago wouldn't
be such an accurate representation of so many projects:
https://xkcd.com/2347/

(I'm sure it's probably been linked in a 1,000 different threads in a
1,000 different forums related to this problem by now.)

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: