oss-sec mailing list archives
Re: Update on the distro-backdoor-scanner effort
From: Hank Leininger <hlein () korelogic com>
Date: Sun, 28 Apr 2024 00:45:34 -0600
On 2024-04-28, Morten Linderud wrote:
On Fri, Apr 26, 2024 at 02:06:16PM -0600, Hank Leininger wrote:- ~11k EndeavourOS/Arch packages
Please just write Arch packages. There is no upstream collaboration from Endeavour on those 11k packages.
That's fair enough; I rather was attempting to indicate which distro from a family we used, "~11k Arch packages (on EndeavourOS)", similar to testing on Rocky as a representative of the RPM ecosystem, etc. We did not analyze any AUR packages (yet? seems like we could, and if we could we should). These same corpuses will be used for continued m4 analysis; so far we've only done the m4 spelunking on Gentoo. That reminds me, we did not specify what release-trains we tested for each; our goal was to pick one that had (or had had, and been rolled back) a backdoored xz-utils version (5.6.0 / 5.6.1) if we could: - Debian sid - EndeavourOS 2024.01.25 - Gentoo as-of 2024-04-18 - Rocky 9.3 Thanks, -- Hank Leininger <hlein () korelogic com> 8428 ED14 5268 C727 0C48 F454 846F 0637 5FEB 1612
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Update on the distro-backdoor-scanner effort Hank Leininger (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Sam James (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 27)
- Re: Update on the distro-backdoor-scanner effort Morten Linderud (Apr 27)
- <Possible follow-ups>
- Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Vegard Nossum (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Gabriel Ravier (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 30)
- Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
- Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)