yossarian (1.3.6.1.4.1.55738)Mar 29, 2024

my only contribution to the xz discourse:

absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.

Show threadNik | Klampfradler 🎸🚲

@yossarian

(3) reinstate a web of trust; only trust GPG signatures that are well connected in this web of trust through meaningful keysigning

Mar 29, 2024 at 11:45pmWeb
Show threadDavid CookMar 29, 2024
@nik @yossarian no, that will get no uptake, and even if it did, someone would have signed the key of the guy doing xz maintenance for two years to keep things moving
Show threadyossarian (1.3.6.1.4.1.55738)Mar 29, 2024

@nik the idea that a PGP signature would have stopped this is, bluntly, unserious. the person in question *was* the legitimate maintainer; there was no a priori reason to distrust them.

(this is before all of the normal observations about the PGP WoT being defunct anyways)

Show threadNik | Klampfradler 🎸🚲Mar 30, 2024
@yossarian My point is, they should not have become the trusted maintainer without a well-trusted key, and a Debian (or other distribution) maintainer should not have imported the tarball without a trust path to them.
Show threadyossarian (1.3.6.1.4.1.55738)Mar 30, 2024

@nik “should” is doing a lot of lifting there, and is hoisted on technologies that empirically have *not* done the job well enough. there’s no reason to believe the previous maintainer wouldn’t have shared their key, that the malicious maintainer wouldn’t have been in the strong set, and so forth.

I’m a strong advocate of code signing, and trust distribution is one of the hardest parts; there is no reason to believe that PGP’s primitives would have sufficed here.

Show threadnoahmMar 30, 2024
@yossarian @nik Agreed, the web of trust would not have helped here. We don't know yet, but it's entirely possible that this was a fully trusted and well meaning community member who was somehow compromised by a malicious actor.
The alternative is that this was somebody patient enough to build up trust over time, hiding malicious intent all along. That person would still, likely, have been able to bypass web of trust protection.
Arguably we need to go the other way: trust nothing; assume malice.
Show threadAlexander The 1stMar 30, 2024
@noahm @yossarian @nik My immediate thought on the "Web of trust" is thinking to, like background checks and security clearance processes; asking every open source developer who is tired of maintaining their codebase to spontaneously run those on people they trust before they hand over the maintenance rights to the other person... probably isn't scalable, even outside of OSS funding through donations.
Show threadXarnMar 30, 2024
@nik @yossarian what's the scenario where they spend ~2 years maintaining the project without malicious changes and still don't have their keys signed as a xz maintainer?