:: Re: [DNG] security: check xc-utils …
Página Inicial
Delete this message
Reply to this message
Autor: Didier Kryn
Data:  
Para: dng@lists.dyne.org
Assunto: Re: [DNG] security: check xc-utils versions
Le 02/04/2024 à 23:02, Steve Litt a écrit :
> der.hans via PLUG-discuss said on Sun, 31 Mar 2024 07:19:43 +0000 (UTC)
>
>> Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
>>
>>> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>>>
>>> While I'm not sure that this specific vulnerability led to much harm
>>> (who knows yet?), we're going to be feeling the after-shocks in the
>>> open source and security industries for a long time.
>>>
>>> Among the many questions that need to be asked:
>>>
>>> 1. How can we trust source tarballs / archive files to be 100%
>>> correct versus source code?
>> Reproducible builds help with that.
>>
>>> 2. Without looking at the source code line-by-line, how do we detect
>>> supply chain attacks before they are propagated to end users?
>> Maybe peer review and audits as the code goes in. That'll take a lot of
>> effort, especially for small projects.
>>
>>> 3. How do we properly vet source code contributors to make sure they
>>> aren't going to perform supply chain attacks?
>> It's going to be a rough Summer for some of us.
> A couple Niklaus Wirth quotes from
> https://www.bostonglobe.com/2024/02/28/metro/niklaus-wirth-software-developer-who-saw-power-simplicity-dies-89/
> :
>
> ============================================
> “The art in engineering is not so much to make something very
> complicated, The art is to make a complicated problem simpler.”
>
> “When you develop a program, it’s much harder to devise a simple
> solution than complicated ones. Unfortunately, our computers
> are terribly uncritical. They swallow anything.”
> ============================================
>
> Yes, it's easier to incorporate yet another library that's really a
> tree of dependencies, and the computer will swallow it. For the last
> several years, the problems caused by the complexification caused by
> willy-nilly use of Other People's Code (OPC) is on full display.
>
> We can audit. We can peer-review. We can crack the whip on source code
> providers, but as long as we increasingly complexificate our software
> with ever more layers of abstraction, auditing, peer-review and
> cracking the whip are just kicking the can down the road.
>
> KISS!!!!!


    Here is a piece of programer wisdom I've read in some mailing list:

    "A little copying is better than a dependency."

    Copying is always permitted by free software (with citation). The
idea here is that it is even recommended, rather than bringing a dependency.

--     Didier