Fifty Years of Open Source Software Supply Chain Security

&gt; The OpenSSH project is careful about not taking on unnecessary dependencies, but Debian was not as careful. That distribution patched sshd to link against libsystemd, which in turn linked against a variety of compression packages, including xz&#x27;s liblzma. Debian&#x27;s relaxing of sshd&#x27;s dependency posture was a key enabler for the attack, as well as the reason its impact was limited to Debian-based systems such as Debian, Ubuntu, and Fedora, avoiding other distributions such as Arch, Gentoo, and NixOS.<p>Does Fedora use Debian&#x27;s patch set for sshd, or a similar patch set that adds libsystemd?<p>Edit: It looks like Fedora wasn&#x27;t affected because the backdoor triggered a valgrind test failure, so they shipped it with a flag that disabled the functionality that was backdoored. Seems like they lucked out. <a href="https:&#x2F;&#x2F;lists.fedoraproject.org&#x2F;archives&#x2F;list&#x2F;devel@lists.fedoraproject.org&#x2F;message&#x2F;YTOGJVBNOSW7FSEE7B35GETS25KFPKBO&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lists.fedoraproject.org&#x2F;archives&#x2F;list&#x2F;devel@lists.fe...</a>

A very well-written piece. The section on funding open source is as relevant as it&#x27;s ever been, and I don&#x27;t think we&#x27;ve learnt much since last year.<p>As the proportion of younger engineers contributing to open-source decreases (a reasonable choice, given the state of the economy), I see only two future possibilities:<p>1. Big corporations take ownership of key open-source libraries in an effort to continue their development.<p>2. Said key open-source libraries die, and corporations develop proprietary replacements for their own use. The open source scene remains alive, but with a much smaller influence.

From Linux Security Summit 2019, a retrospective on mandatory access control and bounding &quot;damage that can be caused by flawed or malicious applications&quot; in Android, iOS, macOS, Linux, FreeBSD and Zephyr, <a href="https:&#x2F;&#x2F;static.sched.com&#x2F;hosted_files&#x2F;lssna19&#x2F;e5&#x2F;LSS2019-Retrospective-16-9.pdf" rel="nofollow">https:&#x2F;&#x2F;static.sched.com&#x2F;hosted_files&#x2F;lssna19&#x2F;e5&#x2F;LSS2019-Ret...</a><p><pre><code> For the past 26 years, the speaker has been engaged in the design, implementation, technology transfer, and application of flexible Mandatory Access Control (MAC). In this talk, he describes the history and lessons learned from this body of work. The background and motivation for MAC is first presented, followed by a discussion of how a flexible MAC architecture was created and matured through a series of research systems. The work to bring this architecture to mainstream systems is then described, along with how the architecture and implementation evolved. The experience with applying this architecture to mobile platforms is examined. The role of MAC in a larger system architecture is reviewed in the context of a secure virtualization system. The state of MAC in mainstream systems is compared before and after our work. Work to bring MAC to emerging operating systems is discussed. </code></pre> video: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=AKWFbxbsU3o" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=AKWFbxbsU3o</a>

One of my struggles is to get docker to lockdown which images it loads. I&#x27;d like to only pull from my own blessed registry and it seems Docker wants to always go back to theirs.<p>For other &quot;package&quot; managers (eg: CPAN, Debian) I can point to my own archive and be sure everything I manage down stream gets the blessed bits.<p>I basically have a huge archive&#x2F;mirror for the supply chain for my perl, PHP, JavaScript, etc.<p>If anyone has pro tips on how to &quot;lock&quot; docker to one registry that would be cool.

A lovely article, but one section definitely needs a [citation needed]<p>&gt; (OpenSSL is written in C, so this mistake was incredibly easy to make and miss; in a memory-safe language with proper bounds checking, it would have been nearly impossible.)<p><pre><code> package main import &quot;fmt&quot; type CmdType int const ( WriteMsg CmdType = iota ReadMsg ) type Cmd struct { t CmdType d []byte l int } var buffer [256]byte var cmds = []Cmd{ Cmd{WriteMsg, []byte(&quot;Rain. And a little ice. It&#x27;s a damn good thing he doesn&#x27;t know how much I hate his guts.&quot;), 88}, Cmd{WriteMsg, []byte(&quot;Rain. And a little ice.&quot;), 23}, Cmd{ReadMsg, nil, 23}, Cmd{ReadMsg, nil, 88}, &#x2F;&#x2F; oops! } func main() { for c := range cmds { if cmds[c].t == WriteMsg { copy(buffer[:], cmds[c].d[:cmds[c].l]) } else if cmds[c].t == ReadMsg { fmt.Println(string(buffer[:cmds[c].l])) } } } </code></pre> The heartbleed problem was that user-controlled input could say how long it was, separate from how long it <i>actually</i> was. OpenSSL then copied the (short) thing into a buffer, but returned the (long) thing, thus revealing all sorts of other data it was keeping in the same buffer.<p>It wasn&#x27;t caught because OpenSSL had built its own buffer&#x2F;memory management routines <i>on top</i> of the actual ones provided by the language (malloc, memcpy, realloc, free), and all sorts of unsafe manipulations were happening inside one big buffer. That buffer could be in a language with perfect memory safety, the same flaw would still be there.

Related; <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43617352">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43617352</a> North Korean IT workers have infiltrated the Fortune 500

Good article for what it covers, but sadly does not cover isolation&#x2F;sandboxing&#x2F;least privilege.

Great coverage, however it failed to mention code review and artifact signing as well as full source bootstrapping which are fundamental defenses most distros skip.<p>In our distro, Stagex, our threat model assumes at least one maintainer, sysadmin, or computer is compromised at all times.<p>This has resulted in some specific design choices and practices:<p>- 100% deterministic, hermetic, reproducible<p>- full source bootstrapped from 180 bytes of human-auditable machine code<p>- all commits signed by authors<p>- all reviews signed by reviewers<p>- all released artifacts are multi-party reproduced and signed<p>- fully OCI (container) native all the way down &quot;FROM scratch&quot;<p>- All packages easily hash-locked to give downstream software easy determinism as well<p>This all goes well beyond the tactics used in Nix and Guix.<p>As far as we know, Stagex is the only distro designed to strictly distrust maintainers.<p><a href="https:&#x2F;&#x2F;stagex.tools" rel="nofollow">https:&#x2F;&#x2F;stagex.tools</a>

Very suspicious article. Sounds like the &quot;nothing to see here folks, move along&quot; school of security.<p>Reproducibility is more like a security smell; a symptom you’re doing things right. Determinism is the correct target and subtly different.<p>The focus on supply chain is a distraction, a variant of The “trusting trust” attack Ken Thompson described in 1984 is still among the most elegant and devastating. Infected development toolchains can spread horizontally to “secure” builds.<p>Just because it’s open doesn’t mean anyone’s been watching closely. &quot;50 years of security&quot;? Important pillars of OSS have been touched by thousands of contributors with varying levels of oversight. Many commits predate strong code-signing or provenance tracking. If a compiler was compromised at any point, everything it compiled—including future versions of itself—could carry that compromise forward invisibly. This includes even &quot;cleanroom&quot; rebuilds.