Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 31, 2024 at 07:54:08PM +0200, Kevin Kofler via devel wrote:
> Adam Williamson wrote:
> > Maybe this needs to go on the growing pile of reasons why the
> > traditional Linux model *does* need to go away. Maybe Fedora, with its
> > foundation of First, should be kind of at the forefront of making that
> > happen.
> 
> Switching to a container-based model is just going to introduce more 
> different library versions (in the worst case, one per container) with a 
> higher probability that one of them is compromised.

Our traditional distro model is not perfect — far from it — and we
certainly try to improve it. But I agree with Kevin that in _this
particular case_, the other models have smaller chances of catching
the issue.

Here the upstream was compromised, so 2FA, upstream signatures, and any
other checks don't help at all.

But in our "traditional model" we have one version of the dependency
used for everbody, so there is a strong incentive to review and
improve this one particular version. The packaging process is also
very open: it is absolutely routine for people to change packagaging
for packages owned by other maintainers.

The newfangled models are much more about picking particular versions
of dependencies and duplicating them in multiple projects. This makes
some things easier, and makes things more independent, but I think
it'd make the xz bug less likely to be caught. If sshd was packaged as
a container or a flatpak, and I saw that it takes .8 instead of .1
seconds to log in, I certainly wouldn't spend the time to figure out
why. I'd assume that the authors did something strange and move on to
my own things.

We talk a lot about the "new ways", but software must still come from
somewhere, and the dependencies need to be maintained… Changing the
delivery format is not going to magically makes this unnecessary.

Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux