• 0 Posts
  • 11 Comments
Joined 4 years ago
cake
Cake day: October 28th, 2020

help-circle

  • federico3@lemmy.mltoLinux@lemmy.mlWhy does nobody maintain PPAs anymore?
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    7 months ago

    I am well aware of it. It is an example of the traditional distribution workflow preventing a backdoor from landing into Debian Stable and other security-focused distributions. Of course the backdoor could have been spotted sooner, but also much later, given its sophistication.

    In the specific case of xz, “Jia Tan” had to spend years of efforts in gaining trust and then to very carefully conceal the backdoor (and still failed to reach Debian Stable and other distributions). Why so much effort? Because many simpler backdoors or vulnerabilities have been spotted sooner. Also many less popular FOSS projects from unknown or untrusted upstream authors are simply not packaged.

    Contrast that with distributing large “blobs”, be it containers from docker hub or flatpak, snap etc, or statically linked binaries or pulling dependencies straight from upstream repositories (e.g. npm install): any vulnerability or backdoor can reach end users quickly and potentially stay unnoticed for years, as it happened many times.

    There has been various various reports and papers published around the topic, for example https://www.securityweek.com/analysis-4-million-docker-images-shows-half-have-critical-vulnerabilities/

    They have to watch hundreds to thousands of packages so having them do security checks for each package is simply not feasible.

    That is what we do and yes, it takes effort, but it is still working better than the alternatives. Making attacks difficult and time consuming is good security.

    If there is anything to learn from the xz attack is that both package maintainers and end users should be less lenient in accepting blobs of any kind.






  • This is not correct. APT always verifies cryptographic signature unless you explicitly disable it. Yet it’s very important to understand who is signing packages. What kind of review process did the software go through? What kind of vetting did the package maintainer themselves go through?

    If software is signed only by the upstream developer and no 3rd party review is done by a distribution this means trusting a stranger’s account on a software forge.

    Update: the Debian infrastructure supports checking gpg signatures from upstream developers i.e. on the tarballs published on software forges.


  • Context is important. It’s possible that the software is distributed without any warning like that and that the termination of the support contract is done without citing the redistribution of previous versions as a reason. OTOH if the customers could prove that there’s widespread knowledge of the retaliatory termination that could be equivalent to a (non-written) restriction that is indeed incompatible with the GPL