Yeah, a short writeup on RB in the context of the SolarWinds attack would be
great to have, especially now that more details are coming out. Its quite an
impressive hack, it even cleans up after itself:
To prevent detection, Sunburst’s creators “included a hash verification check”
to ensure the injected malicious code “is compatible with a known source file”.
Once the build process was complete, Sunburst waited for MsBuild.exe to exit
“before restoring the original source code and deleting the temporary
InventoryManager.bk file” containing its malicious code, now compiled into the
Orion product.
https://www.theregister.com/2021/01/12/solarwinds_tech_analysis_crowdstrike/
.hc
David Kleuker:
it don't help much to rant on this ML where all people know what reproducible
builds are. instead contacting all those journalists that did not mention it
has a chance to change the current status.
a publication on reproducible-builds.org about this incident would also be
helpful to share the link
next time this happens, journalists would at least know they COULD mention it
kind regards
David Kleuker
Chris Lamb <ch...@reproducible-builds.org> hat am 21.12.2020 15:30 geschrieben:
David A. Wheeler wrote:
Let me restate this: it appears that the *source code* wasn’t
compromised, and the *distribution* system wasn’t compromised. Instead,
the *build system* was compromised.
Thanks for this, David. You are absolutely right that this is exactly
what Reproducible Builds was 'designed' for to begin with. An ironic
hurrah that this kind of attack is getting more visibility these days.
Another thanks for the press references too -- I will make good use of
them when writing our next monthly report. (Alas, if it wasn't the
holiday season I might be tempted to suggest that we do a specific
publicity boost based on this..)
Regards,
--
o
⬋ ⬊ Chris Lamb
o o reproducible-builds.org 💠
⬊ ⬋
o
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556