On Sun, 2 Jun 2024 12:57:49 -0700 Kent Borg <kentb...@borg.org> wrote:
> but I have personally seen that more lines of code means less is > known about what is really going on inside that code, which means > lower odds that the right (and safe) stuff is going on in there. Anecdote is not evidence. Just because you've seen bad code in large programs does not indicate a general correlation between number of lines and attack surface. All it means is that you have seen large, badly written programs. But let's take your argument at face value, that more lines of code means larger attack surface. systemd is on the order of 2 million lines of code. The Linux kernel is on the order of 30 million lines lines of code. Which, if your correlation were true, would mean the kernel has an approximately 15 times larger attack surface than systemd. I hope we can agree that this is not the case, and thus we can dismiss the idea that fewer lines == more secure as the myth it is. > - The fact that test and build processes are intertwined and so > complicated that they can't be trusted to produce the right > output—and people apparently think this complexity is a reasonable > state of affairs—should be an embarrassment, not an excuse. Lines of code and complexity had nothing to do with the XZ supply chain attack. The XZ backdoor depended on the manipulation of a lone human being. It was then concealed by exploiting .gitignore and various detection tool exceptions in ways that are common practice across the entire open source development community. > - The fact that people might want to make systemd happier by patching > OpenSSH should be an embarrassment, not an excuse. (The fact that > anyone would patch OpenSSH at *all* should be an embarrassment.) > > - The fact that it was possible for any bad guys to thread through > this chaos and plant a backdoor in sshd (sshd!) should be taken as > evidence that it is a horribly embarrassing mess, not an excuse. There never was a backdoor in sshd. The backdoor is in XZ, which is called by systemd when the patched sshd triggers the notification system. But -- and follow me here -- it never needed to be OpenSSH specifically. It could have been anything triggering the notification system. OpenSSH happened to be a useful vector but that's all it ever was: a vector. It was never part of the attack. -- \m/ (--) \m/ _______________________________________________ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
