At the time I thought it was just rude, but maybe this is when it all started.
I don’t know how many open-source project maintainers would be on guard for something that subtle, people coordinating to take over maintainership of a project.
I mean, xz isn’t normally something you’d immediately think of as security-critical. I doubt that a maintainer knows or thinks about about all the potential downstream dependencies (in this case, not even a standard sshd depedendency, but one that came up because of a patch that Debian used to add some systemd functionality).
EDIT:
I mean, xz isn’t normally something you’d immediately think of as security-critical.
On second thought, it actually is, given that Debian packages are xz-compressed.
We’ve had a lot of trust among open-source projects, where people just kind of assume that people are doing the right thing, but there are some very, very large places where a potential attacker might manage to get maintainership of a library, if they’re willing to spend a long time slowly getting access.
I’d figured that one day, we’d have a really big apocalypse that would cause some of that to break down, and we’d lose our innocence and have to do things differently.
I mean, let’s say that I’m an important security researcher, and I use R, a common statistical tool, nothing directly to do with security. That pulls in all kinds of libraries from various online statistics libraries, and the people working on those aren’t really security people. Perl and Python and other tools have similar things. If someone can target that security researcher using that, could be nothing more than an intentionally-induced parsing bug in a library they use, then they can get things like that researcher’s private keys, maybe get ahold of signing keys for software packages and the like.
All of the problems get a lot harder to deal with when it’s someone willing to spend a lot of time and use sophisticated tactics.
And for a state sponsored attacker is cheaper to bribe (or threaten to kill, even cheaper) the single developer to add a backdoor than all the research to find a zero day
Man, there is a lot of concerning stuff there.
In particular, one person commented that the original xz maintainer was possibly subjected to a pressure campaign to hand over maintainership.
I don’t know how many open-source project maintainers would be on guard for something that subtle, people coordinating to take over maintainership of a project.
I mean, xz isn’t normally something you’d immediately think of as security-critical. I doubt that a maintainer knows or thinks about about all the potential downstream dependencies (in this case, not even a standard sshd depedendency, but one that came up because of a patch that Debian used to add some systemd functionality).
EDIT:
On second thought, it actually is, given that Debian packages are xz-compressed.
We’ve had a lot of trust among open-source projects, where people just kind of assume that people are doing the right thing, but there are some very, very large places where a potential attacker might manage to get maintainership of a library, if they’re willing to spend a long time slowly getting access.
I’d figured that one day, we’d have a really big apocalypse that would cause some of that to break down, and we’d lose our innocence and have to do things differently.
I mean, let’s say that I’m an important security researcher, and I use R, a common statistical tool, nothing directly to do with security. That pulls in all kinds of libraries from various online statistics libraries, and the people working on those aren’t really security people. Perl and Python and other tools have similar things. If someone can target that security researcher using that, could be nothing more than an intentionally-induced parsing bug in a library they use, then they can get things like that researcher’s private keys, maybe get ahold of signing keys for software packages and the like.
All of the problems get a lot harder to deal with when it’s someone willing to spend a lot of time and use sophisticated tactics.
Wow
And for a state sponsored attacker is cheaper to bribe (or threaten to kill, even cheaper) the single developer to add a backdoor than all the research to find a zero day