Re: Three steps we could take to make supply chain attacks a bit harder
Thread information
[Search the fedora-devel archive]
Richard W.M. Jones ` Marcin Juszkiewicz ` Simon de Vlieger ` Michael Catanzaro ` Chris Adams ` Zbigniew Jędrzejewski-Szmek ` Zbigniew Jędrzejewski-Szmek ` Simo Sorce ` Miroslav Suchý ` Neal Gompa ` Dominique Martinet ` Kevin Kofler via devel ` Neal Gompa ` Zbigniew Jędrzejewski-Szmek ` Richard W.M. Jones ` Neal Gompa ` Kevin Kofler via devel ` Zbigniew Jędrzejewski-Szmek ` Gordon Messmer ` Zbigniew Jędrzejewski-Szmek ` Florian Weimer ` Kilian Hanich via devel ` Kevin Kofler via devel ` Kevin Kofler via devel ` Zbigniew Jędrzejewski-Szmek ` Zbigniew Jędrzejewski-Szmek ` Kevin Kofler via devel ` Kevin Kofler via devel ` Zbigniew Jędrzejewski-Szmek ` Neal Gompa ` Zbigniew Jędrzejewski-Szmek ` Kevin Kofler via devel ` Lennart Poettering ` Florian Weimer ` Todd Zullinger ` Dmitry Belyavskiy ` Gordon Messmer ` Andreas Schneider ` Kevin Kofler via devel ` Richard W.M. Jones ` Kevin Kofler via devel ` Neal Gompa ` Kevin Kofler via devel ` Neal Gompa ` Kevin Kofler via devel ` Tim Landscheidt ` Zbigniew Jędrzejewski-Szmek ` Michael Catanzaro ` Zbigniew Jędrzejewski-Szmek ` Neal Gompa ` Richard W.M. Jones ` Kevin Kofler via devel ` Zbigniew Jędrzejewski-Szmek ` Kevin Kofler via devel ` Sam Varshavchik ` Adam Williamson ` Gary Buhrmaster ` Kevin Kofler via devel ` Miroslav Suchý ` Carlos Rodriguez-Fernandez ` Zbigniew Jędrzejewski-Szmek ` Kevin Kofler via devel ` Zbigniew Jędrzejewski-Szmek ` François Rigault ` Zbigniew Jędrzejewski-Szmek ` François Rigault ` Zbigniew Jędrzejewski-Szmek ` Stephen Smoogen ` François Rigault ` Scott Schmit ` Vít Ondruch ` Chris Adams ` Daniel Alley ` Kevin Kofler via devel ` Kilian Hanich via devel ` Dmitry Belyavskiy ` Zbigniew Jędrzejewski-Szmek ` Chris Adams ` Michel Lind ` Matthew Miller ` Gabriel Somlo ` Chris Adams ` Carlos Rodriguez-Fernandez ` Kevin Kofler via devel ` Steve Cossette ` Stephen Gallagher ` Kevin Fenzi ` Stephen Gallagher ` Kevin Fenzi ` Carlos Rodriguez-Fernandez ` Kevin Kofler via devel ` Richard W.M. Jones ` Artem S. Tashkinov via devel ` Stephen Smoogen ` Artem S. Tashkinov via devel ` Stephen Smoogen ` Artem S. Tashkinov via devel ` Carlos Rodriguez-Fernandez ` Kevin Kofler via devel ` Daniel Alley ` Zbigniew Jędrzejewski-Szmek ` Vít Ondruch ` Gordon Messmer ` Gordon Messmer ` Gordon Messmer ` Richard W.M. Jones ` Zbigniew Jędrzejewski-Szmek ` Gordon Messmer ` Kevin Kofler via devel ` Gordon Messmer ` Lennart Poettering ` Gordon Messmer ` Adam Williamson [this message] ` Miroslav Suchý ` Arthur Bols ` Kevin Kofler via devel ` Arthur Bols ` Neal Gompa ` Arthur Bols ` Kevin Fenzi ` Adam Williamson ` Kevin Kofler via devel ` Simon de Vlieger ` Kilian Hanich via devel ` Gary Buhrmaster ` Adam Williamson ` Kevin Fenzi ` Steve Cossette ` Kevin Fenzi ` Gary Buhrmaster ` Jonathan Steffan ` Carlos Rodriguez-Fernandez ` Adam Williamson ` Kevin Fenzi ` Carlos Rodriguez-Fernandez ` Adam Williamson ` Richard W.M. Jones ` Chris Adams ` Richard W.M. Jones ` Carlos Rodriguez-Fernandez ` Gary Buhrmaster ` Kevin Kofler via devel ` Kilian Hanich via devel ` Kevin Kofler via devel ` Carlos Rodriguez Fernandez ` Kevin Kofler via devel ` Gary Buhrmaster ` Alexander Bokovoy ` Adam Williamson ` Kevin Fenzi ` Richard W.M. Jones ` Kevin Kofler via devel ` Ben Beasley ` Scott Schmit ` Dominique Martinet ` Scott Schmit ` Christoph Karl via devel ` Zbigniew Jędrzejewski-Szmek ` Kilian Hanich via devel ` Miroslav Suchý ` Adam Williamson ` Carlos Rodriguez-Fernandez ` Adam Williamson ` Zbigniew Jędrzejewski-Szmek ` Neal Gompa ` Carlos Rodriguez-Fernandez ` Panu Matilainen ` Carlos Rodriguez-Fernandez ` Adam Williamson ` Carlos Rodriguez-Fernandez ` Adam Williamson ` Kevin Kofler via devel ` Adam Williamson ` Kevin Kofler via devel ` Adam Williamson ` Christoph Erhardt ` Sam Varshavchik ` Adam Williamson ` Daniel P. Berrangé ` Adam Williamson ` Kevin Kofler via devel ` Zbigniew Jędrzejewski-Szmek ` Adam Williamson ` Neal Gompa ` What we mean when we talk about "supply chains" [was Re: Three steps we could take to make supply chain attacks a bit harder] Adam Williamson ` Gary Buhrmaster ` Kevin Kofler via devel ` Steve Grubb ` Three steps we could take to make supply chain attacks a bit harder Gary Buhrmaster ` Carlos Rodriguez-Fernandez ` Carlos Rodriguez-Fernandez ` Daniel P. Berrangé ` Carlos Rodriguez-Fernandez ` Carlos Rodriguez-Fernandez ` Peter Jones ` Jakub Jelinek ` Andreas Schneider ` Richard W.M. Jones ` Florian Weimer ` Kilian Hanich via devel ` Richard W.M. Jones ` Florian Weimer ` Andreas Schneider ` Florian Weimer ` Neal Gompa ` Richard W.M. Jones ` Kevin Kofler via devel ` Eric Blake ` Kevin Kofler via devel ` Eric Blake
| From: | Adam Williamson <adamwill-AT-fedoraproject.org> | |
| To: | Development discussions related to Fedora <devel-AT-lists.fedoraproject.org> | |
| Subject: | Re: Three steps we could take to make supply chain attacks a bit harder | |
| Date: | Sun, 31 Mar 2024 01:58:21 -0700 | |
| Message-ID: | <788b04404affa4384a72b5ef178850d3091d7c9c.camel@fedoraproject.org> |
On Sat, 2024-03-30 at 09:37 +0000, Richard W.M. Jones wrote: > I'm not pretending these will solve everything, but they should make > attacks a little harder in future. I don't disagree with Richard's list. However...more in regards to some of the grandiose ideas in later posts than Richard's list...I think we're in danger of building castles in the sky while not cleaning up the poop in our backyard, here. Before we start in on the grand fantasies about converting the world off autotools or banning binaries in repos or centralized source depots authenticated by a committee of Top People, can we remember: 1. We *still don't have compulsory 2FA for Fedora packagers*. We *still don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE COMPULSORY 2FA FOR FEDORA PACKAGERS*. 2. Our process for vetting packagers is, let's face it, from a security perspective almost *comically* patchy. There are 140 sponsors in the packager FAS group. Any one of those people - or someone who compromises any one of those 140 accounts - can grant any other person on earth Fedora packager status. Our policy on how they should do this is https://docs.fedoraproject.org/en-US/package-maintainers/... . The words "trust" and "identity" do not appear in it. There is, AFAIK, no policy or procedure by which inactive sponsors have this power removed. There is no mandatory 2FA policy for sponsors. 3. We have no mechanism to flag when J. Random Packager adds "Supplements: glibc" to their random leaf node package. As a reminder, *we are a project that allows 1,601 minimally-vetted people to deliver arbitrary code executed as root on hundreds of thousands of systems*, and this mechanism allows any one of those people to cause the package they have complete control over to be automatically pulled in as a dependency on virtually every single one of those systems. 4. Our main auth system was written years ago by someone who no longer contributes and nobody is really actively maintaining it[0]. These are just the ones that leap to my tired mind at this moment. I'm sure we can think of many more things we should probably look at before we start pontificating (or, worse, lecturing) about how things should be done upstream of us. [0]: https://pagure.io/ipsilon/commits/master -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@fosstodon.org https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue