「 Unlike other supply chain attacks we have seen in Node.js, PyPI, FDroid, and the Linux Kernel that mostly consisted of atomic malicious patches, fake packages and typosquatted package names, this incident was a multi-stage operation that almost succeeded in compromising SSH servers on a global scale. 」
A bold statement from Dirk Mueller on the OpenSUSE blog:
"Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here."
@ph0lk3r und @jrt haben die Entstehung der #xz-Backdoor nochmals mit dem nötigen Abstand beleuchtet und ziehen einige Lehren daraus.
Insbesondere empfehlen sie die möglichst durchgängige Verwendung von signierten #git-Commits, ein Punkt der bei mir ⬆️⬆️⬆️ fehlte.
Ich setze die auch an einigen Stellen durchgängig ein, aber bisher nur an Stellen, wo keine Rebases oder Squashes nötig sind. Ich vermute, die verlieren die Signaturen, beim Rebase auch, wenn man es selbst macht? https://research.hisolutions.com/2024/04/xz-backdoor-eine-aufarbeitung/
The #xz issue with pre-generated scripts is a much bigger problem than anticipated. generating the configure script with autoconf will introduce circular dependencies lots of places. Pre-generated configure scripts solves that by reducing external dependencies.
If FLOSS is built on the four freedoms, and FLOSS has created an environment that is brittle, then perhaps it’s time for FLOSS to similarly augment the four freedoms.
We have to address this in a fundamental way. The alternative may well be the (eventual) end of FLOSS as we know it.
One of the sad side-effects of the #xz#backdoor is that many projects feel like they need to move away from #autoconf, when the problem wasn’t autoconf itself, but shipping a bunch of .m4 files – and that nobody diffed repo vs tarball (if nobody does that, it doesn’t matter what you do in the repo, e.g. switching build systems).
This is sad because it means cross-compiling stuff will soon no longer be possible, as autoconf is so far the only thing that gets cross-compiling right. CMake is a complete mess, Meson is far from great for cross-compiling and everything else just outright doesn’t support it.
People, clean up your configure.ac, get rid of .m4 and audit repo vs. tarball! That’s less work, much more effective and doesn’t kill cross-compiling!
Also, if you absolutely must blame a piece of software that was used by xz for this: That’ll be #gettext, which was the reason for the insane amount of .m4 files in the first place. gettext is a mess and that is really something we should get rid of.
The #xz backdoor was found without a bug bounty as motivation. #JustSayin
(if you conclude from that that I am not a big fan of bug bounty programs for Open Source projects as it is exclusive and many FOSS projects simply will never have the money for that or the ressources to team up with "Bug Bounty Service Providers" that offer this As a Service, you might be on to something ;)
The hoopla about the #xz#CVE has quieted a bit. It was a nasty one, but also a very devious one requiring a LOT of work. However, if you compare that with the constant stream of Microsoft, Ivanti, Fortinet, etc. CVEs, you wonder why not more people scream bloody murder about those. Probably Stockholm syndrome. Also bug (Really? That many that often? Isn't that some kind of malpractice?) vs deliberate attack. But still.
Meredith Whitaker, the president of Signal, said “I keep brooding on the way the xz backdoor was enabled in significant part via weaponizing the FOSS culture of shitty behavior and abuse.”
“What is striking is that the uncool, mean standards of FOSS conduct that many of us have decried for years, and that many defended as authentic, tough, etc., ended up not just being exclusionary loser behavior, but a significant attack surface.”
Hmm. People are speculating on the nation state that’s behind the #xzbackdoor and seem to be taking a decidedly Western perspective on this. The suspected threat actors they’re naming are typically Russia, China, Iran, and North Korea.
Folks, I just want to point out that you shouldn’t exclude UK, Israel, France, USA, and many others who are more than capable of this as well. And yes, this could have also been some black hat or even a commercial spyware shop doing this to later sell to the highest bidder.