Once upon a time, Gabriel Somlo <gsomlo(a)gmail.com> said:
IMHO, there's no good way to *programmatically* protect
ourselves
from a malicious upstream on which we depend. If their goal is to
compromise us, they will work around whatever programmatic/technical
measures we happen to have in place at the time they decide to launch
their attack.
Yeah. This was clearly an attack targeted at Fedora and Debian; trying
to fix the specific point of entry is a losing battle, as at the end of
the day, Fedora will still be taking code from upstreams and
distributing it to systems far and wide. The particular use of test
and autoconf files to try to hide the attack may be novel, but there are
other ways it could have been done. If there's easy and minimal-impact
ways to help (which I haven't really seen suggested), that's good to
look at, but putting lots of effort into how tests are run or wholesale
changes to configuration seem to not be all that useful.
However, it's a good trigger to review Fedora's security approach in
general (like 2FA use).
--
Chris Adams <linux(a)cmadams.net>