Hi,
It was sheer luck that the exploit was discovered and major distros haven't yet
included it in their stable releases. It's quite possible and plausible it could have
reached RHEL, Debian, Ubuntu, SLES and other distros and it's almost reached Fedora
40.
I don't know how to talk to RedHat/IBM/FSF/Ubuntu and all the big players behind Open
Source/Linux but I want to raise a very important issue.
There's near zero accountability for the tens of thousands of packages included in
Linux distros, often by maintainers who have no resources, qualifications or even know any
programming languages to spot the "bad" code and raise an alarm. Upstream
packages are pushed into Linux distros without considerationand that's it.
That's all completely unacceptable on multiple levels. Security is a joke as a result
of this considering the infamous "Jia Tan" who was almost the sole maintainer of
XZ for over two years.
I propose this issue to be tackled in a centralized way by the collaboration of major
distros.
There must be a website or a central authority which includes known to be
good/safe/verified/vetted open source packages along with e.g. SHA256/384/512/whatever
hashes of the source tarballs. In addition, the source tarballs (not their compressed
versions because people may use different compressors and compression settings) and their
hashes must be digitally signed or have the appropriate PGP signatures from the trusted
parties.
Some parties must be assigned trust to be able to push new packages to this repository.
Each push must be verified by at least two independent parties, let's say RedHat and
Ubuntu or Ubuntu and Arch, it doesn't matter. The representatives of these parties
must be people whose whereabouts are known to confirm who they physically are. No
nicknames allowed.
This website must also have/allow a revocation mechanism for situations like this.
Now Fedora/Arch/Debian/Ubuntu/whatever distros can build packages knowing they are safe to
use.
If that's the wrong place to come up with this proposal, please forward it to the
people who are responsible for making such decisions. I'm not willing to dig through
the dirt to understand how the Fedora project works, who is responsible for what, and what
are the appropriate communication channels. If you care, you'll simply forward my
message. Thanks a lot.
Best regards,
Artem