On Tue, Apr 2, 2024 at 7:35 PM Paul Koning via Gdb <g...@sourceware.org> wrote: > [...] > > I agree that GDB, and for that matter other projects with significant numbers > of contributors, are not nearly as likely to be vulnerable to this sort of > attack. But I worry that xz may not be the only project that's small enough > to be vulnerable, and be security-relevant in not so obvious ways.
This cuts a lot deeper than folks think. Here are two other examples off the top of my head... Other vulnerable projects include ncurses and libnettle. Ncurses is run by Thomas Dickey (https://invisible-island.net/). libnettle is run by Niels Möller (https://www.lysator.liu.se/~nisse/nettle/). Both are one-man shows with no continuity plans. Dickey does not even run a public version control system. You have to download his release tarballs, and there's no history to review or make pull requests against. If DIckey or Möller got hit by a bus crossing the street, there would be problems for years. Jeff > One question that comes to mind is whether there has been an effort across > the open source community to identify possible other targets of such attacks. > Contributions elsewhere by the suspect in this case are an obvious concern, > but similar scenarios with different names could also be. That probably > should be an ongoing activity: whenever some external component is used, it > would be worth knowing how it is maintained, and how many eyeballs are > involved. Even if this isn't done by everyone, it seems like a proper > precaution for security sensitive projects. > > Another question that comes to mind: I would guess that relevant law > enforcement agencies are already looking into this, but it would seem > appropriate for those closest to the attacked software to reach out > explicitly and assist in any criminal investigations. > > paul >