On Mon, 2024-04-01 at 12:27 -0400, Neal Gompa wrote:
>
> ii) the fact that this attack reinforces the painful truth that
> sophisticated attackers *are* extremely interested in attacking the
> supply chain of which we form a significant component
Can we please reframe it for what it actually is? This is an attack on
open source communities. "Supply chain" implies a lot of things that
simply don't exist in open source development. Almost the entirety of
the sophistication of the attack was social engineering, not technical
engineering. There *are* technical things to improve, for sure, but
let's not try to make it sound like it's a wholly technical thing that
can be solved with technical solutions exclusively. There are people
and community problems that need addressing too.
This feels like a derail, so splitting it into a separate subthread.
Honestly, I don't see how the first part of your paragraph relates to
the second. I agree with a lot of the second part, but not the first.
I think we *are* part of a supply chain, regardless of any handwaving
about The Open Source Model. If you are part of producing stuff that
people use to do Real Life Stuff, you are part of a supply chain. You
might want to disclaim various responsibilities for various reasons,
but you still are. If you don't want to be part of a supply chain, stop
supplying stuff. I get the argument that there's a difference between
putting a plank over a stream with a CROSS AT YOUR OWN RISK sign and
charging people to cross your toll bridge, but there are *also* some
similarities.
I agree that the social engineering aspects of this attack were very
significant (though I disagree that was "almost the entirety of the
sophistication" - the technical elements were also pretty
sophisticated). But I don't see why that leads to bikeshedding about
whether this is a "supply chain" attack or not. Why is a "social
engineering attack" not a supply chain attack, but a "technical attack"
is?
--
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw(a)fosstodon.org
https://www.happyassassin.net