From: Guinevere Larsen <blarsen@redhat.com>
To: Sandra Loosemore <sloosemore@baylibre.com>,
Mark Wielaard <mark@klomp.org>,
overseers@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Tue, 2 Apr 2024 19:21:47 -0300 [thread overview]
Message-ID: <CAESWTy62yO1mcgbrUbp_GKPTb8BzfuJs9hM6EuoDbdRkyzG1tQ@mail.gmail.com> (raw)
In-Reply-To: <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 3491 bytes --]
On Tue, Apr 2, 2024 at 7:09 PM Guinevere Larsen <blarsen@redhat.com> wrote:
> On 4/2/24 16:54, Sandra Loosemore wrote:
> > On 4/1/24 09:06, Mark Wielaard wrote:
> >> A big thanks to everybody working this long Easter weekend who helped
> >> analyze the xz-backdoor and making sure the impact on Sourceware and
> >> the hosted projects was minimal.
> >>
> >> This email isn't about the xz-backdoor itself. Do see Sam James FAQ
> >> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
> >> (Sorry for the github link, but this one does seem viewable without
> >> proprietary javascript)
> >>
> >> We should discuss what we have been doing and should do more to
> >> mitigate and prevent the next xz-backdoor. There are a couple of
> >> Sourceware services that can help with that.
> >>
> >> TLDR;
> >> - Replicatable isolated container/VMs are nice, we want more.
> >> - autoregen buildbots, it should be transparent (and automated) how to
> >> regenerate build/source files.
> >> - Automate (snapshot) releases tarballs.
> >> - Reproducible releases (from git).
> >>
> >> [snip]
> >
> > While I appreciate the effort to harden the Sourceware infrastructure
> > against malicious attacks and want to join in on thanking everyone who
> > helped analyze this issue, to me it seems like the much bigger problem
> > is that XZ had a maintainer who appears to have acted in bad faith.
> > Are the development processes used by the GNU toolchain components
> > robust enough to cope with deliberate sabotage of the code base? Do
> > we have enough eyes available to ensure that every commit, even those
> > by designated maintainers, is vetted by someone else? Do we to harden
> > our process, too, to require all patches to be signed off by someone
> > else before committing?
> >
> > -Sandra
> >
> >
> What likely happened for the maintainer who acted in bad faith was that
> they entered the project with bad faith intent from the start - seeing
> as they were only involved with the project for 2 years, and there was
> much social pressure from fake email accounts for the single maintainer
> of XZ to accept help.
>
> While we would obviously like to have more area maintainers and possibly
> global maintainers to help spread the load, I don't think any of the
> projects listed here are all that susceptible to the same type of social
> engineering. For one, getting the same type of blanket approval would be
> a much more involved process because we already have a reasonable amount
> of people with those privileges, no one is dealing with burnout and
> sassy customers saying we aren't doing enough.
>
As someone helpfully pointed out privately, I expressed myself badly here.
I meant that no one project is experiencing that for the whole maintainer
community. individual maintainers may, of course, be going through
difficult times and/or customers, but a single maintainer needing to step
down won't halt the whole project, leading to the rushed trust and thus
exploitation that happened for the XZ project.
> Beyond that, we (GDB) are already experimenting with approved-by, and I
> think glibc was doing the same. That guarantees at least a second set of
> eyes that analyzed and agreed with the patch, I don't think signed-off
> would add more than that tag (even if security was not the reason why we
> implemented them).
>
> --
> Cheers,
> Guinevere Larsen
> She/Her/Hers
>
>
next prev parent reply other threads:[~2024-04-02 22:22 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54 ` Sandra Loosemore
2024-04-02 20:03 ` Paul Eggert
2024-04-02 20:20 ` Paul Koning
2024-04-02 20:28 ` Ian Lance Taylor
2024-04-03 6:26 ` Martin Uecker
2024-04-03 14:00 ` Michael Matz
2024-04-03 14:14 ` Paul Koning
2024-04-03 14:32 ` Martin Uecker
2024-04-03 14:46 ` Jeffrey Walton
2024-04-03 16:02 ` Michael Matz
2024-04-03 16:26 ` Joel Sherrill
2024-04-03 16:32 ` Martin Uecker
2024-04-03 16:51 ` Andreas Schwab
2024-04-03 16:56 ` Jonathan Wakely
2024-04-03 18:46 ` Jonathon Anderson
2024-04-03 19:01 ` Martin Uecker
2024-04-05 21:15 ` Andrew Sutton
2024-04-06 13:00 ` Richard Biener
2024-04-06 15:59 ` Martin Uecker
2024-04-04 13:59 ` Michael Matz
2024-04-09 16:44 ` anderson.jonathonm
2024-04-09 17:57 ` Andreas Schwab
2024-04-09 19:59 ` Jonathon Anderson
2024-04-09 20:11 ` Paul Koning
2024-04-09 21:40 ` Jeffrey Walton
2024-04-09 21:50 ` Paul Eggert
2024-04-09 21:58 ` Sam James
2024-04-09 22:15 ` Paul Eggert
2024-04-09 22:22 ` Sam James
2024-04-09 22:53 ` Paul Eggert
2024-04-09 22:03 ` Jonathon Anderson
2024-04-09 22:10 ` Sam James
2024-04-09 21:54 ` Jonathon Anderson
2024-04-09 22:00 ` Sam James
2024-04-10 14:09 ` Frank Ch. Eigler
2024-04-10 18:47 ` Jonathon Anderson
2024-04-10 19:00 ` Frank Ch. Eigler
2024-04-10 10:26 ` Claudio Bantaloukas
2024-04-02 22:08 ` Guinevere Larsen
2024-04-02 22:21 ` Guinevere Larsen [this message]
2024-04-02 22:50 ` Jeffrey Walton
2024-04-02 23:20 ` Mark Wielaard
2024-04-02 23:34 ` Paul Koning
2024-04-03 0:37 ` Jeffrey Walton
2024-04-03 8:08 ` Florian Weimer
2024-04-03 13:53 ` Joel Sherrill
2024-04-04 10:25 ` Mark Wielaard
2024-04-10 16:30 ` Alejandro Colomar
2024-04-21 15:30 ` Mark Wielaard
2024-04-21 20:40 ` Alejandro Colomar
2024-04-21 20:52 ` Alejandro Colomar
2024-04-30 11:28 ` Alejandro Colomar
2024-04-03 14:04 ` Tom Tromey
2024-04-03 14:42 ` Jeff Law
2024-04-04 10:48 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAESWTy62yO1mcgbrUbp_GKPTb8BzfuJs9hM6EuoDbdRkyzG1tQ@mail.gmail.com \
--to=blarsen@redhat.com \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
--cc=sloosemore@baylibre.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).