Re: making Debian secure by default

Tue, 02 Apr 2024 06:03:33 -0700 

On Tue, Apr 02, 2024 at 07:14:02AM -0500, Nate Bargmann wrote:
> * On 2024 01 Apr 23:41 -0500, to...@tuxteam.de wrote:

[...]

> > This pattern has been seen in other contexts. Here [1] is a good review
> > of "supply chain attacks" [...]

> If you have Rust and Go in mind,

Absolutely not. On the contrary. I don't even think that the language
makes a difference in the risk of supply chain attack.

>                              I am hugely skeptical of both, not
> because of the languages themselves but because both, from what I see,
> do not lend themselves easily to a set of known curated packages that
> can be used for development.
> 
> Noted Debian developer Ian Jackson wrote a blog post back on 21 March
> detailing the extra steps necessary to *only* use Debian Rust packages:
> 
> https://diziet.dreamwidth.org/18122.html

No need to convince *me*.

> > So yes, the pattern was known. It was, up to now, pretty unusual in
> > this context. But the deeper "the stack" becomes... (so I think Nate
> > had a point. That Andy read that as a "systemd insult" is IMHO
> > infortunate, because it clogs a potentially useful discussion. But
> > there you are).
> 
> I think Andy was responding to Jacob Bachmeyer's use of "katamari" to
> describe systemd/libsystemd which he uses again in:

Yes, but he preferred to latch on "systemd", which is a pity, because
the "katamari" part does have a point.

> > The next level is using a package phantasized by your trusty "AI" [2]
> > counsellor (and whose name was predicted by a malicious actor, because 
> > "AI" tends to phantasize names consistently). Note that this one was
> > just (yet?) a proof of concept.
> 
> I am guessing that the Jia Tan actor(s) are watching the response to
> this event carefully.  I doubt they have been deterred.

We don't know much about Jia Tan (and we might never know). To me, one
possible branch is the one most being talked about, that it was a
state-level actor (group) planning things for two years from the start.

More plausible to me would be a bona fide contributor who at some point
was picked up and turned bad (by bribery or coercion). That's more the
modus operandi of such actors [1]. To be honest, this one is also more
unsettling to me.

Cheers

[1] Remember Bruce Schneier's observation that the NSA is better at
   breaking knuckles than at breaking code?
-- 
t

Attachment: signature.asc
Description: PGP signature

Reply via email to