From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D24B1AAC4 for ; Sat, 13 Apr 2024 13:16:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=140.211.166.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713014176; cv=none; b=Ah0+wsyhvY7UzeQ9bU1ALzzX1ggBOzIybMIVILij78JlOdVuOQIp8tsCOLbMWnyWCHVWWq5PEJfNVhMmBFgcuSdou8oR2PwkyWpcJOrUYH2T4z42YsgX7skSUhNXYsffij01hFeaeKX++XKtbeMUMT+F4RmEcxx/w65P53oYXA8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713014176; c=relaxed/simple; bh=m0sVB9+nLeSOPBBj9HZZgo+vjqi13ccyPn1YUZBQ1/I=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References: Content-Type:MIME-Version; b=XPxaa4QiYcUq70PMXTOjySwGVUArdq9Cvr71dEzQpyaokyHehMBMMRH0n/bJKGB1tXdwx0o39HdWoAGxC88SfFvrC/0mwOtmR6BO/vf0ikMQsk3k8kaeG/c039aESC9+6ODmqrnpR6jxa/uLpbVOxtcz8zzK5HDt/bpeQ5Dvfbo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=JlgOkZon; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=FdbTil/S; arc=none smtp.client-ip=140.211.166.136 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="JlgOkZon"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="FdbTil/S" Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 8E27660664 for ; Sat, 13 Apr 2024 13:16:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id gGsN-Lf82kJo for ; Sat, 13 Apr 2024 13:16:13 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:fcd0:100:8a00::2; helo=bedivere.hansenpartnership.com; envelope-from=james.bottomley@hansenpartnership.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 63F2460656 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 63F2460656 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.a=rsa-sha256 header.s=20151216 header.b=JlgOkZon; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.a=rsa-sha256 header.s=20151216 header.b=FdbTil/S Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by smtp3.osuosl.org (Postfix) with ESMTPS id 63F2460656 for ; Sat, 13 Apr 2024 13:16:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1713014172; bh=m0sVB9+nLeSOPBBj9HZZgo+vjqi13ccyPn1YUZBQ1/I=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=JlgOkZonJkADnilPrKFSgFjtWlC4Ui7hbFZWn9WCC4Wpx8U57SYZj6xvl1Z3e8WSz fN03BvzpP/RY5QvkOlfSDcQf0HgMixSOHUSyAdGPbBoy9PLUsu5N9dXBEGSDt7qXrw cbCWFk+uiwWV/AQUDPdegV2dieS+GATOT9cFLuuI= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 243D1128648F; Sat, 13 Apr 2024 09:16:12 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id EHHHsRiNNfIw; Sat, 13 Apr 2024 09:16:12 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1713014171; bh=m0sVB9+nLeSOPBBj9HZZgo+vjqi13ccyPn1YUZBQ1/I=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=FdbTil/SQy7fOCpLMhQSWmEl87wsNBDIU/Ilq9XxQAi7AE8o9GzlhPeoFW34X2d+N V3s+IoPg/il4v2WOcbUerwir+lsjyqnKK6w7qxmmpKmOukFljdvnkBIgRjROULHhVM eOfYhwMzXyb6n4xRtJrzJ4/85H/SMWGm/eU9dt8s= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::a774]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 8F8401286270; Sat, 13 Apr 2024 09:16:11 -0400 (EDT) Message-ID: <030a96cf36719d8a7ec702b9303616f89daed4bb.camel@HansenPartnership.com> Subject: Re: xz meltdown/Lasse Collin From: James Bottomley To: "H. Peter Anvin" , "tech-board-discuss@lists.linuxfoundation.org" Date: Sat, 13 Apr 2024 09:16:09 -0400 In-Reply-To: <8205E91D-F15B-402D-9398-33E4FF4E4E62@zytor.com> References: <8205E91D-F15B-402D-9398-33E4FF4E4E62@zytor.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: tech-board-discuss@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Fri, 2024-04-12 at 10:36 -0700, H. Peter Anvin wrote: > Hi, > > Does anyone know if anyone has reached out to Lasse Collin (original > xz-utils maintainer) and see if he needs any material assistance? After the abuse campaign was exposed, he seems to have found a community of supporters and is getting back into the swing of development (at least now that the github repos and accounts have been restored): https://github.com/tukaani-project/xz/commit/e93e13c8b3bec925c56e0c0b675d8000a0f7f754 https://github.com/tukaani-project/xz/issues/105 For the ecosystem, I think the main lessons are 1. Trust is not a useful security metric.  Note Trust is still useful for ensuring people have the skills and ability to contribute, it's just not a guarantor of future good behaviour. This means we should always have independent reviews for every commit. 2. We need better build artifact transparency generally but  I think the kernel is fine here: we still use make so don't have the huge build artifact issue that allowed the exploit in and we have a documented signing process for our build artifacts (kernel tarballs). 3. The indirect library dependency problem doesn't apply to us. If you're asking what the TAB could do, I think OpenSSF needs a complete makeover. The badge thing is futile and wouldn't have helped here. What we need is pro-active identification of and support for projects at risk of this type of maintainer burnout attack. We could also do with some resources looking at the library dependency problem and the complex build system (autoconf, meson, etc) artifact issue. Regards, James