On Mon, Apr 01, 2024 at 01:45:07AM +0000, Andy Smith wrote: > Hi, > > On Sun, Mar 31, 2024 at 07:19:41PM -0500, Nicholas Geovanis wrote: > > I would think A Smith's comment here was directed to this interesting bit > > from the report he cited: > > > > Given the activity over several weeks, the committer is either directly > > involved or there was some quite severe compromise of their > > system. Unfortunately the latter looks like the less likely explanation, > > given > > they communicated on various lists about the "fixes" mentioned above. > > > > End quote. > > I don't really want to go much further into this as the person I > responded to was clearly further upset by what I said, but all I was > suggesting was not getting too worked up about things that are so > far out of one's control. > > To bring this sort of thing somewhat more under humanity's control > is going to take some very large scale reworking of how the open > source software supply chain works, possibly even how society works. > It's not something that can be achieved by an end user with a best > practices document or a security checklist. Unless step one on the > list is "give up general purpose computing." > > In the xz case the further you go looking for a root cause the wider > the implications are: > > Q: Why was there a back door in sshd? > A: Because some malicious code was linked to it. > > Q: How did malicious code get linked to it? > A: Its lzma dependency was compromised. > > Q: Who compromised the lzma dependency? > A: One of the developers of that project who had full rights to > commit code to it. > > Q: Why did a persona that no one knows anything about get full > access rights to a code repository that is linked to openssh? > A: Because they did some work over a period of years that looked > genuine and the single other developer who was overwhelmed with work > decided to give them access based on that > > Q: Why did lzma, a dependency of openssh, have a single overwhelmed > developer? > A: Because no one felt the need to pay a team of developers to work > on it or audit work on it. >
I love this. It's a great example of the "5 whys" (I know one of the 5 here was technically a "how", but could have just as easily been rephrased as a "why"). The final answer isn't comforting, but it certainly provides a clear and actionable path: "ensure critical projects aren't understaffed." It seems like an extremely obvious thing, the sort of thing that we wouldn't let happen. But then this XKCD from a year or two ago wouldn't be such an accurate representation of so many projects: https://xkcd.com/2347/ (I'm sure it's probably been linked in a 1,000 different threads in a 1,000 different forums related to this problem by now.) Regards, -Roberto -- Roberto C. Sánchez