On 4/6/24 09:15, Thomas Schmitt wrote:
Hi,
Nicholas Geovanis wrote:
But what if next time the back-doored software _does_ build without error?
The initial build problems did not cause suspicion.
It was the CPU load of sshd and an obscure complaint by valgrind which
caused the discovery.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
quotes the discoverer Andres Freund:
"I was doing some micro-benchmarking at the time, needed to quiesce
the system to reduce noise. Saw sshd processes were using a surprising
amount of CPU, despite immediately failing because of wrong usernames
etc. Profiled sshd, showing lots of cpu time in liblzma, with perf
unable to attribute it to a symbol. Got suspicious. Recalled that I had
seen an odd valgrind complaint in automated testing of postgres, a few
weeks earlier, after package updates.
Really required a lot of coincidences."
gene heskett wrote:
In light of that its worth noting that an M$ employee was the first to
spot it.
Indeed.
Thus we should also praise the peace between Microsoft and free software
which broke out a few years ago.
There remains the question, whom a good citizen should contact when
spotting something that could be a backdoor (or a subtenant ?) of
Debian's content or infrastructure.
It seems unwise for a non-expert to do this in public, unless one wants
to accuse the innocent or to warn the hoodlums.
Which category I am firmly in in the larger view Tomas, although I do
run the bleeding edge master of linuxcnc on several of my garage
machines. My main interests are in the realtime performance of machine
controllers running lathes and multi-axis mills. That, and doing things
with odd hardware that most wouldn't even try, like running a 1945
Sheldon 11x54 lathe with an rpi. Works great. I start the job and walk
away, while Casper the ghost is turning the cranks, but 2 to 10 times
faster than the best machinist. And its doing things it could never do
before. Keeps me out of the bars. ;o)>
Have a nice day :)
Thomas
.
Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis