:: Re: [DNG] security: check xc-utils …
Top Page
Delete this message
Reply to this message
Author: Steve Litt
Date:  
To: plug-discuss
CC: dng
Subject: Re: [DNG] security: check xc-utils versions
der.hans via PLUG-discuss said on Sun, 31 Mar 2024 07:19:43 +0000 (UTC)

>Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
>
>> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>>
>> While I'm not sure that this specific vulnerability led to much harm
>> (who knows yet?), we're going to be feeling the after-shocks in the
>> open source and security industries for a long time.
>>
>> Among the many questions that need to be asked:
>>
>> 1. How can we trust source tarballs / archive files to be 100%
>> correct versus source code?
>
>Reproducible builds help with that.
>
>> 2. Without looking at the source code line-by-line, how do we detect
>> supply chain attacks before they are propagated to end users?
>
>Maybe peer review and audits as the code goes in. That'll take a lot of
>effort, especially for small projects.
>
>> 3. How do we properly vet source code contributors to make sure they
>> aren't going to perform supply chain attacks?
>
>It's going to be a rough Summer for some of us.


A couple Niklaus Wirth quotes from
https://www.bostonglobe.com/2024/02/28/metro/niklaus-wirth-software-developer-who-saw-power-simplicity-dies-89/
:

============================================
“The art in engineering is not so much to make something very
complicated, The art is to make a complicated problem simpler.”

“When you develop a program, it’s much harder to devise a simple
solution than complicated ones. Unfortunately, our computers
are terribly uncritical. They swallow anything.”
============================================

Yes, it's easier to incorporate yet another library that's really a
tree of dependencies, and the computer will swallow it. For the last
several years, the problems caused by the complexification caused by
willy-nilly use of Other People's Code (OPC) is on full display.

We can audit. We can peer-review. We can crack the whip on source code
providers, but as long as we increasingly complexificate our software
with ever more layers of abstraction, auditing, peer-review and
cracking the whip are just kicking the can down the road.

KISS!!!!!

SteveT

Note: I'm copying the Devuan project mailing list on this post.