[talk] meeting tonight: idea on ports supply-chain security

George Rosamond george at ceetonetechnology.com
Wed Jul 12 12:32:17 EDT 2023

We don't have a set agenda, but I would like to raise an idea I've been
tinkering on... and would love to add to the discussion this evening.

Basically, it's about the whole ports/pkgs pipeline for the BSDs, and
the related security issues from the written source code down to the
user install and configuration.

This includes everything from operating-system based security
mitigations (think W^X,pledge,capsicum), digital signatures and
checksums and a lot of other things.

Part of this discussion is informed by some of the work by NYU's Secure
Systems Lab like with https://pypi.org/project/in-toto/, which has a
range of people involved including Wietse (who's on this list...). There
are a number of pieces in the supply chain that are being approached,
but what I think is important is to setup a broad picture, then look at
various mitigations along the pipeline.

I am imagining this at some point: I'll do an overview of
code/source=>user install/config for the BSDs, then we could have other
speakers such as Wietse and some NYU PHD students I know possibly cover
more specific tools.

I don't intend to arrive at some massive discoveries, or novel new
security mitigations, but I do think we can broaden everyone's
familiarity with the issues involved.

There are no silver bullets here, only mitigations. We don't control the
source or original upstream developer and auditing third-party source
for ports isn't realizable at this point. And that matters (0)

Some mitigations relate to my day-to-day world, mostly focused on the
transport of the source files over https.

I have a lot of more research to do on my end, even though I really only
want to do a broadstroke overview, so this isn't happening in August..
but I do want to broaden the number of people involved in the discussion.


(0) See:

and I'll stop there...

More information about the talk mailing list