Fifty Years of Open Source Software Supply Chain Security (Queue)

[Posted April 7, 2025 by corbet]

ACM Queue looks at the security problem in the light of a report on Multics security that was published in 1974.

We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real. Modern programming environments such as Go, Node, and Rust have made it trivial to reuse work by others, but our instincts about responsible behaviors have not yet adapted to this new reality.
The fact that the 1974 Multics review anticipated many of the problems we face today is evidence that these problems are fundamental and have no easy answers. We must work to make continuous improvements to open source software supply chain security, making attacks more and more difficult and expensive.

Bootstrappable?

Posted Apr 8, 2025 3:20 UTC (Tue) by pabs (subscriber, #43278) [Link]

Hmm, no mention of Bootstrappable Builds. That community really needs more marketing.

https://bootstrappable.org/
https://lwn.net/Articles/983340/
https://stagex.tools/

Good article - one small mistake

Posted Apr 8, 2025 7:54 UTC (Tue) by amacater (subscriber, #790) [Link]

In commenting on the xz vulnerability - Fedora is not a Debian-based OS :)

Spearphishing in the references?

Posted Apr 8, 2025 12:23 UTC (Tue) by jejb (subscriber, #6654) [Link] (1 responses)

References 3,4 and 26 don't point where they claim. 4 and 26 look like cut and paste, but 3 has all the hallmarks of a standard phishing attack (although you need an active google account to get it to do something). Some type of spearphishing for reference checking nerds?

Spearphishing in the references?

Posted Apr 8, 2025 17:28 UTC (Tue) by khim (subscriber, #9252) [Link]

#3 is just a normal link to a “Google Workspace for your team” spreadsheet. It's impossible to check, but looks like a normal sharing link for the www.whatexit.org. You need permission to access it in your Google Account to see anything useful there, though.

Thus #3 is also a typo.

Can Tux trust the US anymore?

Posted Apr 8, 2025 15:41 UTC (Tue) by gmatht (guest, #58961) [Link] (6 responses)

We have banished the Russian maintainers. But the US Government has birdsmirched Tux's reputation, falsely claiming he and his penguin buddies launched a tariff war against the US. Then there is the whole the US will "100%" steal land from NATO thing.

Given that Australian maintainers have already warned that they cannot be trusted because Australian law allows the government to force citizens to insert malware, I highly doubt the US is above doing the same. And while China is not actively boasting that they will invade their own allies, I wouldn't trust them to maintain my kernel either.

The penguin in the room is that many developers are now living in countries that have no compunction against coercing them to corrupt their own supply chain.

Links to Australian maintainers saying to not trust them?

Posted Apr 8, 2025 17:48 UTC (Tue) by DemiMarie (subscriber, #164188) [Link]

Do you have concrete examples of Australian maintainers saying, “Don’t trust me!”?

Can Tux trust the US anymore?

Posted Apr 9, 2025 2:41 UTC (Wed) by raven667 (subscriber, #5198) [Link] (4 responses)

The US is going through some things right now due to its poor decisions, but I'm not sure the overall point is actually going the right way. When analyzing risk it's not enough to say that someone has the _capability_ to do harm, lots of nations have security services that could compel a backdoor of they wanted to hard enough, what's the likelihood they choose to do so, why and for what gain? If they _have_ done so then where is the evidence, once someone notices them it's possible to verify the facts and understand the timeline. Mysterious "this could happen" is more fun but less useful than "this has happened in this $incident" or " this is likely to happen because $reason". Once you understand the capabilities and likelihood then you can start comparing the risk to other risks to make choices.

Can Tux trust the US anymore?

Posted Apr 9, 2025 9:01 UTC (Wed) by Wol (subscriber, #4433) [Link] (1 responses)

And if I remember correctly, weren't Huawei blamed for a rather nasty "back door"? Which, upon investigation, turned out to be present in a load of old code (legally) copied from Cisco?

Much as there's lots about China I don't like, one thing they do NOT seem to be doing is engaging on the scale of industrial espionage, theft, and general IP misbehaviour that seems to be "Business As Usual" in the US.

Cheers,
Wol

Can Tux trust the US anymore?

Posted Apr 9, 2025 9:22 UTC (Wed) by paulj (subscriber, #341) [Link]

China may well end up replacing Linux, because of the US-led-west's attempt to stymy their geopolitical rivals' use of open-source with western led development. E.g., Huawei are in the process of replacing Android/Linux with OpenHarmony Next, their Harmony userspace API (already available on their recent Android phones) on top their own microkernel.

Soon enough phones from one of the leading phone vendors, in the largest market in the world, will no longer have any Linux in them.

Can Tux trust the US anymore?

Posted Apr 10, 2025 2:14 UTC (Thu) by ejona86 (subscriber, #43349) [Link] (1 responses)

Capability seems important, because this stuff has happened and keeps happening. If a nation-state is doing it well enough, you won't know it is actually happening and thus can't actually assess likelihood. While I agree we should prioritize tackling known-real issues and the most tractable problems, I feel like your comment is a pre-Snowden viewpoint. We learned we don't know the capabilities nor their likelihood. I hadn't heard that capability about Australia in particular, but I am surprised to see it dismissed out-of-hand because we've seen how easy it is to hide the FISA court happenings in the US.

Can Tux trust the US anymore?

Posted Apr 14, 2025 17:48 UTC (Mon) by raven667 (subscriber, #5198) [Link]

maybe I didn't communicate my thought well, I wasn't saying that the capability is rare, a pre-Snowden mindset, I'm saying the capability is so common that it's not the most important criteria for assessing risk, unless you have specific evidence that a particular bug is from Jia Tan, thinking more about motive will give you a better handle on where the risk is than trying to separate projects based on whether you think that there is a capability or non-capability for subversion or backdoors. There is a capability, what needs estimating is the will to do so.