[talk] meeting tonight: idea on ports supply-chain security
George Rosamond
george at ceetonetechnology.com
Wed Jul 12 12:32:17 EDT 2023
We don't have a set agenda, but I would like to raise an idea I've been
tinkering on... and would love to add to the discussion this evening.
Basically, it's about the whole ports/pkgs pipeline for the BSDs, and
the related security issues from the written source code down to the
user install and configuration.
This includes everything from operating-system based security
mitigations (think W^X,pledge,capsicum), digital signatures and
checksums and a lot of other things.
Part of this discussion is informed by some of the work by NYU's Secure
Systems Lab like with https://pypi.org/project/in-toto/, which has a
range of people involved including Wietse (who's on this list...). There
are a number of pieces in the supply chain that are being approached,
but what I think is important is to setup a broad picture, then look at
various mitigations along the pipeline.
I am imagining this at some point: I'll do an overview of
code/source=>user install/config for the BSDs, then we could have other
speakers such as Wietse and some NYU PHD students I know possibly cover
more specific tools.
I don't intend to arrive at some massive discoveries, or novel new
security mitigations, but I do think we can broaden everyone's
familiarity with the issues involved.
There are no silver bullets here, only mitigations. We don't control the
source or original upstream developer and auditing third-party source
for ports isn't realizable at this point. And that matters (0)
Some mitigations relate to my day-to-day world, mostly focused on the
transport of the source files over https.
I have a lot of more research to do on my end, even though I really only
want to do a broadstroke overview, so this isn't happening in August..
but I do want to broaden the number of people involved in the discussion.
g
(0) See:
https://arstechnica.com/information-technology/2021/11/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy/
https://www.theregister.com/2021/07/28/python_pypi_security/
https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platform-with-information-stealing-malware/
and I'll stop there...
More information about the talk
mailing list