Attack on SolarWinds could have been countered by reproducible builds

Ximin Luo infinity0 at debian.org
Wed Dec 30 22:47:10 UTC 2020


>From my experience working in R-B, media chatter isn't sufficient to overcome engineering inertia.

There's a lot of tunnel vision and arrogant engineers in upstream toolchain projects nitpicking at technical crap that doesn't matter, when we submit patches. To advance reproducible builds, this social issue has to be addressed somehow.

Newer projects (e.g. Rust) are better at this, possibly because they pay more attention to the media. (This isn't necessarily a good thing in general, but it helps in this specific case.)

Of course maintaining a FOSS project is also thankless work, so understandably some engineers are more conservative and grumble about outsiders. At some point it becomes obstructionism though. I don't know enough about who is getting paid by $BIGCO vs who is getting zilch, to comment on which specific projects have which problems. It is a broad-spectrum thing that goes across the board.

X

Hans-Christoph Steiner:
> 
> Thanks for this info!  RB work can be a slog through annoying technical details, so confirmation of its important always helps lift my spirits.  Its definitely good fodder for getting funding for related work.
> 
> .hc
> 
> David A. Wheeler:
>> All:
>>
>> There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning.
>>
>> According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
>>
>> Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY*  the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds).
>>
>> I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice!
>>
>> --- David A. Wheeler
>>
>> PS: Here are some articles about the attack on SolarWinds:
>> https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ <https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/>
>> https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html <https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html>
>> https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html>
>> https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now <https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now>
>> https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ <https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/>
>>
>>
> 


-- 
GPG: ed25519/56034877E1F87C35
https://github.com/infinity0/pubkeys.git


More information about the rb-general mailing list