Dne 30. 03. 24 v 18:26 Artem S. Tashkinov via devel napsal(a):
Hi,
It was sheer luck that the exploit was discovered and major distros haven't yet
included it in their stable releases. It's quite possible and plausible it could have
reached RHEL, Debian, Ubuntu, SLES and other distros and it's almost reached Fedora
40.
I don't know how to talk to RedHat/IBM/FSF/Ubuntu and all the big players behind Open
Source/Linux but I want to raise a very important issue.
There's near zero accountability for the tens of thousands of packages included in
Linux distros, often by maintainers who have no resources, qualifications or even know any
programming languages to spot the "bad" code and raise an alarm. Upstream
packages are pushed into Linux distros without considerationand that's it.
That's all completely unacceptable on multiple levels. Security is a joke as a result
of this considering the infamous "Jia Tan" who was almost the sole maintainer of
XZ for over two years.
I propose this issue to be tackled in a centralized way by the collaboration of major
distros.
If I was JT, I would applaud this proposal. This would give me an
opportunity to infiltrate such powerful body and either
1) close my eyes above some of the reviewed content from the right
parties or
2) have some nice proposal such as "do you think your code is correct
and won't you include rather this specially crafted piece of code?"
But since I am not JT, I prefer the current decentralized approach.
Vít
There must be a website or a central authority which includes known to be
good/safe/verified/vetted open source packages along with e.g. SHA256/384/512/whatever
hashes of the source tarballs. In addition, the source tarballs (not their compressed
versions because people may use different compressors and compression settings) and their
hashes must be digitally signed or have the appropriate PGP signatures from the trusted
parties.
Some parties must be assigned trust to be able to push new packages to this repository.
Each push must be verified by at least two independent parties, let's say RedHat and
Ubuntu or Ubuntu and Arch, it doesn't matter. The representatives of these parties
must be people whose whereabouts are known to confirm who they physically are. No
nicknames allowed.
This website must also have/allow a revocation mechanism for situations like this.
Now Fedora/Arch/Debian/Ubuntu/whatever distros can build packages knowing they are safe
to use.
If that's the wrong place to come up with this proposal, please forward it to the
people who are responsible for making such decisions. I'm not willing to dig through
the dirt to understand how the Fedora project works, who is responsible for what, and what
are the appropriate communication channels. If you care, you'll simply forward my
message. Thanks a lot.
Best regards,
Artem
--
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue