From: Jeffrey Walton <noloader@gmail.com>
To: Paul Koning <paulkoning@comcast.net>
Cc: Guinevere Larsen <blarsen@redhat.com>,
Sandra Loosemore <sloosemore@baylibre.com>,
Mark Wielaard <mark@klomp.org>,
overseers@sourceware.org, gcc@gcc.gnu.org,
binutils@sourceware.org, gdb@sourceware.org,
libc-alpha@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Tue, 2 Apr 2024 20:37:25 -0400 [thread overview]
Message-ID: <CAH8yC8mPHMD1ruZwURT9FfZKxp+KVRMO8dA6MWhYsmP6nZG36g@mail.gmail.com> (raw)
In-Reply-To: <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net>
On Tue, Apr 2, 2024 at 7:35 PM Paul Koning via Gdb <gdb@sourceware.org> wrote:
> [...]
>
> I agree that GDB, and for that matter other projects with significant numbers of contributors, are not nearly as likely to be vulnerable to this sort of attack. But I worry that xz may not be the only project that's small enough to be vulnerable, and be security-relevant in not so obvious ways.
This cuts a lot deeper than folks think. Here are two other examples
off the top of my head...
Other vulnerable projects include ncurses and libnettle. Ncurses is
run by Thomas Dickey (https://invisible-island.net/). libnettle is run
by Niels Möller (https://www.lysator.liu.se/~nisse/nettle/). Both are
one-man shows with no continuity plans. Dickey does not even run a
public version control system. You have to download his release
tarballs, and there's no history to review or make pull requests
against. If DIckey or Möller got hit by a bus crossing the street,
there would be problems for years.
Jeff
> One question that comes to mind is whether there has been an effort across the open source community to identify possible other targets of such attacks. Contributions elsewhere by the suspect in this case are an obvious concern, but similar scenarios with different names could also be. That probably should be an ongoing activity: whenever some external component is used, it would be worth knowing how it is maintained, and how many eyeballs are involved. Even if this isn't done by everyone, it seems like a proper precaution for security sensitive projects.
>
> Another question that comes to mind: I would guess that relevant law enforcement agencies are already looking into this, but it would seem appropriate for those closest to the attacked software to reach out explicitly and assist in any criminal investigations.
>
> paul
>
next prev parent reply other threads:[~2024-04-03 0:37 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54 ` Sandra Loosemore
2024-04-02 20:03 ` Paul Eggert
2024-04-02 20:20 ` Paul Koning
2024-04-02 20:28 ` Ian Lance Taylor
2024-04-03 6:26 ` Martin Uecker
2024-04-03 14:00 ` Michael Matz
2024-04-03 14:14 ` Paul Koning
2024-04-03 14:32 ` Martin Uecker
2024-04-03 14:46 ` Jeffrey Walton
2024-04-03 16:02 ` Michael Matz
2024-04-03 16:26 ` Joel Sherrill
2024-04-03 16:32 ` Martin Uecker
2024-04-03 16:51 ` Andreas Schwab
2024-04-03 16:56 ` Jonathan Wakely
2024-04-03 18:46 ` Jonathon Anderson
2024-04-03 19:01 ` Martin Uecker
2024-04-05 21:15 ` Andrew Sutton
2024-04-06 13:00 ` Richard Biener
2024-04-06 15:59 ` Martin Uecker
2024-04-04 13:59 ` Michael Matz
2024-04-09 16:44 ` anderson.jonathonm
2024-04-09 17:57 ` Andreas Schwab
2024-04-09 19:59 ` Jonathon Anderson
2024-04-09 20:11 ` Paul Koning
2024-04-09 21:40 ` Jeffrey Walton
2024-04-09 21:50 ` Paul Eggert
2024-04-09 21:58 ` Sam James
2024-04-09 22:15 ` Paul Eggert
2024-04-09 22:22 ` Sam James
2024-04-09 22:53 ` Paul Eggert
2024-04-09 22:03 ` Jonathon Anderson
2024-04-09 22:10 ` Sam James
2024-04-09 21:54 ` Jonathon Anderson
2024-04-09 22:00 ` Sam James
2024-04-10 14:09 ` Frank Ch. Eigler
2024-04-10 18:47 ` Jonathon Anderson
2024-04-10 19:00 ` Frank Ch. Eigler
2024-04-10 10:26 ` Claudio Bantaloukas
2024-04-02 22:08 ` Guinevere Larsen
2024-04-02 22:50 ` Jeffrey Walton
2024-04-02 23:20 ` Mark Wielaard
2024-04-02 23:34 ` Paul Koning
2024-04-03 0:37 ` Jeffrey Walton [this message]
2024-04-03 8:08 ` Florian Weimer
2024-04-03 13:53 ` Joel Sherrill
2024-04-04 10:25 ` Mark Wielaard
2024-04-10 16:30 ` Alejandro Colomar
2024-04-21 15:30 ` Mark Wielaard
2024-04-21 20:40 ` Alejandro Colomar
2024-04-21 20:52 ` Alejandro Colomar
2024-04-30 11:28 ` Alejandro Colomar
2024-04-03 14:04 ` Tom Tromey
2024-04-03 14:42 ` Jeff Law
2024-04-04 10:48 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH8yC8mPHMD1ruZwURT9FfZKxp+KVRMO8dA6MWhYsmP6nZG36g@mail.gmail.com \
--to=noloader@gmail.com \
--cc=binutils@sourceware.org \
--cc=blarsen@redhat.com \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
--cc=paulkoning@comcast.net \
--cc=sloosemore@baylibre.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).