[talk] meeting tonight: idea on ports supply-chain security

George Rosamond george at ceetonetechnology.com
Wed Jul 12 13:08:29 EDT 2023

To top-post to an already over-wordy email...

Part of the point of this is to give everyone a broader sense of some
things happening in academia tangential to real life.

We have done it in the past but it's been a while. One of the guiding
principles for me about NYC*BUG, and I have articulated before, was
bridging research to the real world. We can't get lost in how things are
done today, but we should be capable of judging the utility (or not) of
relevant research being done.

Think what USENIX has done but on a user-group level, maybe.


On 7/12/23 12:32, George Rosamond wrote:
> We don't have a set agenda, but I would like to raise an idea I've been
> tinkering on... and would love to add to the discussion this evening.
> Basically, it's about the whole ports/pkgs pipeline for the BSDs, and
> the related security issues from the written source code down to the
> user install and configuration.
> This includes everything from operating-system based security
> mitigations (think W^X,pledge,capsicum), digital signatures and
> checksums and a lot of other things.
> Part of this discussion is informed by some of the work by NYU's Secure
> Systems Lab like with https://pypi.org/project/in-toto/, which has a
> range of people involved including Wietse (who's on this list...). There
> are a number of pieces in the supply chain that are being approached,
> but what I think is important is to setup a broad picture, then look at
> various mitigations along the pipeline.
> I am imagining this at some point: I'll do an overview of
> code/source=>user install/config for the BSDs, then we could have other
> speakers such as Wietse and some NYU PHD students I know possibly cover
> more specific tools.
> I don't intend to arrive at some massive discoveries, or novel new
> security mitigations, but I do think we can broaden everyone's
> familiarity with the issues involved.
> There are no silver bullets here, only mitigations. We don't control the
> source or original upstream developer and auditing third-party source
> for ports isn't realizable at this point. And that matters (0)
> Some mitigations relate to my day-to-day world, mostly focused on the
> transport of the source files over https.
> I have a lot of more research to do on my end, even though I really only
> want to do a broadstroke overview, so this isn't happening in August..
> but I do want to broaden the number of people involved in the discussion.
> g
> (0) See:
> https://arstechnica.com/information-technology/2021/11/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy/
> https://www.theregister.com/2021/07/28/python_pypi_security/
> https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platform-with-information-stealing-malware/
> and I'll stop there...
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> https://lists.nycbug.org:8443/mailman/listinfo/talk

More information about the talk mailing list