[talk] xz compromise and ports systems

[George Rosamond]

There's a lot to be said about the security of ports supply chains.

There are lots of mitigations to apply starting from the original
developer, to distribution and packaging to the end user and operating
system at the destination.

You can build a nice ports/pkg system, verify the source with checksums,
then move up to digital signatures, and so on.

Clearly you can't mock ports systems, the need for original source code
should go away. Raw pip or CPAN removes some basic guard rails.

But most mitigations are looking to solve one moment in the ports supply
chain.

Ultimately the issue is most difficult when the original developer(s) of
the source are the problem, conscious or not. "But the source was signed
with the developer's keys!" You can call that a verified backdoor.

All the crud on PyPi is a good example.

Operating system mitigations matter, since few users will actually look
at the original source or even changelogs.

One might think that some 3p auditor could be used to verify code
changes with some projects.... then we turn into a world of blue check
marks for open source code.

Now let's charge a fee! We can even validate it for SOC2 compliance!
"Get a blue check for your application in four days cheap!"

Certainly complexity makes things worse, including on the operating
system level. Cough, cough systemd. Building out complex "supply chains"
for applications needs to be avoided.

And witch hunts aren't going to address these larger problems.

https://www.wired.com/story/jia-tan-xz-backdoor/

g