Re: making Debian secure by default
On Mon, Apr 01, 2024 at 01:45:07AM +0000, Andy Smith wrote:
> Hi,
>
> On Sun, Mar 31, 2024 at 07:19:41PM -0500, Nicholas Geovanis wrote:
> > I would think A Smith's comment here was directed to this interesting bit
> > from the report he cited:
> >
> > Given the activity over several weeks, the committer is either directly
> > involved or there was some quite severe compromise of their
> > system. Unfortunately the latter looks like the less likely explanation,
> > given
> > they communicated on various lists about the "fixes" mentioned above.
> >
> > End quote.
>
> I don't really want to go much further into this as the person I
> responded to was clearly further upset by what I said, but all I was
> suggesting was not getting too worked up about things that are so
> far out of one's control.
>
> To bring this sort of thing somewhat more under humanity's control
> is going to take some very large scale reworking of how the open
> source software supply chain works, possibly even how society works.
> It's not something that can be achieved by an end user with a best
> practices document or a security checklist. Unless step one on the
> list is "give up general purpose computing."
>
> In the xz case the further you go looking for a root cause the wider
> the implications are:
>
> Q: Why was there a back door in sshd?
> A: Because some malicious code was linked to it.
>
> Q: How did malicious code get linked to it?
> A: Its lzma dependency was compromised.
>
> Q: Who compromised the lzma dependency?
> A: One of the developers of that project who had full rights to
> commit code to it.
>
> Q: Why did a persona that no one knows anything about get full
> access rights to a code repository that is linked to openssh?
> A: Because they did some work over a period of years that looked
> genuine and the single other developer who was overwhelmed with work
> decided to give them access based on that
>
> Q: Why did lzma, a dependency of openssh, have a single overwhelmed
> developer?
> A: Because no one felt the need to pay a team of developers to work
> on it or audit work on it.
>
I love this. It's a great example of the "5 whys" (I know one of the 5
here was technically a "how", but could have just as easily been
rephrased as a "why").
The final answer isn't comforting, but it certainly provides a clear and
actionable path: "ensure critical projects aren't understaffed."
It seems like an extremely obvious thing, the sort of thing that we
wouldn't let happen. But then this XKCD from a year or two ago wouldn't
be such an accurate representation of so many projects:
https://xkcd.com/2347/
(I'm sure it's probably been linked in a 1,000 different threads in a
1,000 different forums related to this problem by now.)
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: