BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Debian 12 in the Cloud
- Subject: [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- Date: Fri, 31 May 2024 19:54:10 -0400
- In-reply-to: <54f6511e-c3f1-48ab-9581-58047bdad049@borg.org>
- References: <a09a4ca0-bfc8-4c5c-ad30-e307be9e2cc1@borg.org> <f840e62cb5c88c336909575f0acc5365.squirrel@mail.mohawksoft.com> <3d52eef7-5aa4-49a0-b580-91183ca1b0ae@borg.org> <20240531124428.649ba044.Richard.Pieri@gmail.com> <53c737b9-7b6d-4f4d-82b8-d6b485414080@borg.org> <20240531173138.4f70c692.Richard.Pieri@gmail.com> <54f6511e-c3f1-48ab-9581-58047bdad049@borg.org>
On Fri, 31 May 2024 15:23:34 -0700 Kent Borg <kentborg at borg.org> wrote: > Jeeze. Sounds to me like an argument for stuff being too complex is a > bad idea. I'm saying that you should examine Thomas Roccia's diagram carefully, because the attack had nothing to do with the complexity of systemd or xz or anything else. Fundamentally, the social aspects would work against any number of lone developers; and the technical aspects would work against any project sufficiently complex to require a dedicated test suite. Which is a lot of developers and a lot of projects. xz and systemd were not targeted because they are "too complicated". systemd was targeted because it is ubiquitous, and xz was targeted because it was an easy way to get at systemd. If systemd did not exist then that actor would have targeted some other software chain instead. > You seem to be arguing that a state actor did this therefore nothing > could have been done, nothing could be improved, everyone is > blameless. "If you're going to lay blame on anyone, blame it on all of us who put our mission critical applications on libraries maintained by lone individuals in their spare time. Because this is the real reason, the real root cause, for this. One lone individual manipulated by a (probably) well-funded (probably) state actor." I don't know that this actor was a well-funded, state-sponsored actor. But given that this was a long term project (over two years at the time it was discovered) with a sophisticated supply chain insertion, I agree with the experts who believe this was enacted by a well-funded, state-sponsored group. > I say anyone patching OpenSSH is a really, really iffy idea. I say > systemd is too complex. I say xz using obscure M4 scripts few people > *ever* understood was an unfortunate decision that proved dangerous. GNU Autoconf is written in M4. I think this alone takes it well out of the "obscure" category. I'm just trying to politely suggest that you examine the forensics analyses instead of applying overly broad strokes with the blame brush. We get it that you dislike systemd. Most of us here, I believe, agree. But that's not a good reason to blame it for the xz supply chain attack when the only role it had is being a choice target. -- \m/ (--) \m/
- References:
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- Prev by Date: [Discuss] Debian 12 in the Cloud
- Previous by thread: [Discuss] Debian 12 in the Cloud
- Index(es):