Rich Pieri said on Mon, 3 Jun 2024 17:46:23 -0400 >On Mon, 3 Jun 2024 15:58:57 -0400 >Steve Litt <sl...@troubleshooters.com> wrote: > >>> >Numbers of lines of code does not correlate with attack surface. >>> > >> That's exactly what I said, except I used the word correlate. > >You said there is a correlation even if it's not 1:1. > >I said that no such correlation exists. It's a myth.
I'll need to see the URL to the statistical survey showing that in order to accept it. [snip] >I need to amend your timeline because systemd is getting better. The >developers have been removing potentially insecure external >dependencies, including XZ, so the timeline really looks like this: > >* systemd incorporates XZ into itself [basic Unix philosophy of reusing > existing tools/libraries] > >* Long game evil SOB tortures unpaid, volunteer XZ maintainer [not > underpaid; unpaid] > >* SOB begins preparations for inserting their backdoor into XZ code > >* Two years of SOB slowly and carefully implementing their payload > delivery scheme [backdoor is not here, yet] > >* systemd crew announce forthcoming removal of XZ dependency [disaster > for SOB] > >* SOB, now under severe time constraints, quickly commits obfuscated > backdoor code into the 5.6.0 and 5.6.1 tarballs, hidden from the > github repo using .gitignore. > >* SOB asks Red Hat and Debian to accept the 5.6.0/5.6.1 releases into > their testing/rolling releases which they do. Other rolling distros > and development releases follow suit. [common practice for developers > wanting their latest and greatest included in the latest and greatest > distro releases] [backdoor is now live on a relatively small number > of systems -- including two of mine running Tumbleweed, though > neither exposed to the public network and therefore not exploitable] > >* Andres Freund identifies an anomaly, tracks it to the backdoor > [*very* lucky us] The preceding timeline sounds reasonable and I believe it. However, it doesn't contradict my point that systemd has too many dependencies for them to handle, and distros deploying systemd can't do all the due diligence to make sure it isn't a pathway to a supply chain attack. SteveT Steve Litt Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21 _______________________________________________ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
