On Mon, Apr 1, 2024 at 12:22 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > > On Mon, 2024-04-01 at 10:56 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > On Sun, Mar 31, 2024 at 07:54:08PM +0200, Kevin Kofler via devel wrote: > > > Adam Williamson wrote: > > > > Maybe this needs to go on the growing pile of reasons why the > > > > traditional Linux model *does* need to go away. Maybe Fedora, with its > > > > foundation of First, should be kind of at the forefront of making that > > > > happen. > > > > > > Switching to a container-based model is just going to introduce more > > > different library versions (in the worst case, one per container) with a > > > higher probability that one of them is compromised. > > > > Our traditional distro model is not perfect — far from it — and we > > certainly try to improve it. But I agree with Kevin that in _this > > particular case_, the other models have smaller chances of catching > > the issue. > > > > Here the upstream was compromised, so 2FA, upstream signatures, and any > > other checks don't help at all. > > Yes, to be clear, my "this" was not "the specific technical details of > this attack". It was more: > > i) the factors I listed in my email about just how many people are > trusted to build 'Fedora', when 'Fedora' is essentially a collection of > arbitrary scripts executed as root > > ii) the fact that this attack reinforces the painful truth that > sophisticated attackers *are* extremely interested in attacking the > supply chain of which we form a significant component Can we please reframe it for what it actually is? This is an attack on open source communities. "Supply chain" implies a lot of things that simply don't exist in open source development. Almost the entirety of the sophistication of the attack was social engineering, not technical engineering. There *are* technical things to improve, for sure, but let's not try to make it sound like it's a wholly technical thing that can be solved with technical solutions exclusively. There are people and community problems that need addressing too. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue