oss-sec mailing list archives
Re: Mitigating malicious packages in gnu/linux
From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Wed, 20 Nov 2019 13:28:04 -0600 (CST)
The ideas I have seen posted on this topic thus far are about assuring correct provenance and that installed binaries are based on what the maintainer/developer intended.
The extreme focus on delivery mechanisms entirely ignores the fact that development source code is produced in environments which are not assured to be trustworthy (possibly sitting on hard drives for months or multiple years), and then stored in environments which may or may not be trustworthy (e.g. somewhere in a communal cloud). This means that changes may be inserted into the source code without the developer/maintainer being aware.
There is also the implicit assumption that all developers and maintainers have the intention of being good and not intentionally inserting malicious code. This is not always the case, particularly if a developer becomes deranged or disgruntled. Not all developers are equally competent and sometimes a developer submits code with severe flaws.
Modern GNU/Linux systems have far too much executing code to reasonably secure. Paring down the amount of executing code helps quite a lot with improving security.
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
Current thread:
- Re: Mitigating malicious packages in gnu/linux, (continued)
- Re: Mitigating malicious packages in gnu/linux Tim Kuijsten (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Ludovic Courtès (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Tim Kuijsten (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Pavel Heimlich (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Jakub Wilk (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Solar Designer (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Russ Allbery (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Solar Designer (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Mark Hatle (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Russ Allbery (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Aditya Sirish Arunkumar Yelgundhalli (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Bob Friesenhahn (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Jeremy Stanley (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Bob Friesenhahn (Nov 20)