yossarian (1.3.6.1.4.1.55738)Mar 29, 2024

my only contribution to the xz discourse:

absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.

Show threadSamuel GiddinsMar 29, 2024
@yossarian eh I don’t completely agree, stuff like SLSA should make it more obvious when prebuilt packages diverge from the canonical source
Show threadyossarian (1.3.6.1.4.1.55738)Mar 29, 2024

@segiddins sure, but this was the canonical source! the decision to distribute the tweaked autoconf as a separate package wasn’t the separating factor here IMO; provenance would have only changed things if the backdoor had been inserted at the index or redistribution layer

(I still think we should do things like provenance, but I think this is a great demonstration of their limitations)

Doug H.Mar 31, 2024
Show threadIan McLeod
@yossarian @segiddins There's a subtlety here I think is worth highlighting. AIUI it was the canonical source in the sense that it is what the trusted individual released, but it differed from what it claimed to be in a very detectable way. Specifically, it did not match the tarball generated from the canonical repository. The change hid a small payload needed to activate the "public in git history but obscured" exploit material. We can and should close this part of the path.
Mar 30, 2024 at 4:55pmWeb
Show threadSamuel GiddinsMar 30, 2024
@iansmcleod @yossarian yes, that’s what I was getting at but didn’t explain as well