Dne 30. 03. 24 v 18:26 Artem S. Tashkinov via devel napsal(a):
Hi, It was sheer luck that the exploit was discovered and major distros haven't yet included it in their stable releases. It's quite possible and plausible it could have reached RHEL, Debian, Ubuntu, SLES and other distros and it's almost reached Fedora 40. I don't know how to talk to RedHat/IBM/FSF/Ubuntu and all the big players behind Open Source/Linux but I want to raise a very important issue. There's near zero accountability for the tens of thousands of packages included in Linux distros, often by maintainers who have no resources, qualifications or even know any programming languages to spot the "bad" code and raise an alarm. Upstream packages are pushed into Linux distros without considerationand that's it. That's all completely unacceptable on multiple levels. Security is a joke as a result of this considering the infamous "Jia Tan" who was almost the sole maintainer of XZ for over two years. I propose this issue to be tackled in a centralized way by the collaboration of major distros.
If I was JT, I would applaud this proposal. This would give me an opportunity to infiltrate such powerful body and either
1) close my eyes above some of the reviewed content from the right parties or
2) have some nice proposal such as "do you think your code is correct and won't you include rather this specially crafted piece of code?"
But since I am not JT, I prefer the current decentralized approach. Vít
There must be a website or a central authority which includes known to be good/safe/verified/vetted open source packages along with e.g. SHA256/384/512/whatever hashes of the source tarballs. In addition, the source tarballs (not their compressed versions because people may use different compressors and compression settings) and their hashes must be digitally signed or have the appropriate PGP signatures from the trusted parties. Some parties must be assigned trust to be able to push new packages to this repository. Each push must be verified by at least two independent parties, let's say RedHat and Ubuntu or Ubuntu and Arch, it doesn't matter. The representatives of these parties must be people whose whereabouts are known to confirm who they physically are. No nicknames allowed. This website must also have/allow a revocation mechanism for situations like this. Now Fedora/Arch/Debian/Ubuntu/whatever distros can build packages knowing they are safe to use. If that's the wrong place to come up with this proposal, please forward it to the people who are responsible for making such decisions. I'm not willing to dig through the dirt to understand how the Fedora project works, who is responsible for what, and what are the appropriate communication channels. If you care, you'll simply forward my message. Thanks a lot. Best regards, Artem -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue