undefined | Better HN

0 pointsbenregenspan1mo ago0 comments

Is the "Jia Tan" XZ Utils compromise not a good example? That relied on code snuck into a release that was not in source.

(It was caught before being promoted into a stable Debian release, yes, but this sort of relied on a happy accident, too close for comfort)

0 comments

5 comments · 2 top-level

jcranmer1mo ago· 3 in thread

The xz utils compromise is a very good example... of why reproducible packages doesn't actually solve anything security-wise!

The backdoor relied first on a difference between building a package in a packaging environment versus building the package on your own. And also, it relied on the very common practice of checking in unreviewable artifacts into the source tree (e.g., the configure script, malicious binary test artifacts).

Reproducible builds guarantee that two people can follow the same instructions and get the same, bit-identical outcome. It does nothing to guarantee that those instructions have not been compromised, and all of the great packaging security failures of my lifetime that I can think of have relied on those instructions being compromised (e.g., xz utils, Debian OpenSSL keygen issues).

uecker1mo ago

An attack would be far easier without reproducible packages. One could upload a compromised binary to debian by becoming a debian developer, blackmail a debian developer to so, or compromise the computer of a debian developer or the distribution.

At the time of xz attack, the package was already reproducible.

jcranmer1mo ago

I'll give an analogy to email and spam. A lot of effort has been spent making sure that if an email is from x@example.com, it actually came from x@example.com, giving us things like SPF, DKIM, and DMARC. And it turns out that the most eager adopters of the newest technology are... the spammers themselves! Because they don't need to lie about their email address; they can have that be completely honest, and instead resort to other tricks to mislead users as to who they are (e.g., the display name, which most email clients blindly trust and happily display).

Similarly for package managers, the biggest issues are typo-squatting or maintainer credentials compromise. And in neither case does the attacker have any incentive to take advantage of it in a way that breaks reproducibility--they can be completely honest about what they're doing. Now even if I were an attacker who had compromised a maintainer's machine, I'd still probably go for compromising the source rather than compromising the final artifact-generation process... simply because compromising the source makes the exploit live longer.

As xz shows, once you have a compromised maintainer, there's basically nothing you can do to fix it except by having someone else discover the compromise and locking out the maintainer.

1 more reply

goodpoint1mo ago

No, reproducible builds make such backdoors more difficult to sneak in together with other checks.

chuckadams1mo ago

The xz hack was still reproducible, because it was included in the distribution archive which did not match the upstream source -- even then, it was so obfuscated it likely would have gone unnoticed, but nevertheless it only lived in the uploaded tarball and not in the repo. Reproducibility is a good thing, but the next step is build provenance.

Still, lots of good non-security benefits to reproducible builds too.

j / k navigate · click thread line to collapse