Re: making Debian secure by default

[Nicholas Geovanis <nickgeovanis@gmail.com>]

On Fri, Mar 29, 2024, 12:24 PM Joe <joe@jretrading.com> wrote:

On Fri, 29 Mar 2024 16:53:04 +0000
Andy Smith <andy@strugglers.net> wrote:

> Hello,
>
> On Thu, Mar 28, 2024 at 05:47:44PM -0000, Curt wrote:
> > On 2024-03-28, Greg Wooledge <greg@wooledge.org> wrote: 
> > >
> > > A more proactive endeavor would be to document known best
> > > practices 
> >
> > It makes no fucking difference, because your important data is
> > elsewhere and completely out of your control. 
>
> I WAS going to gently suggest that you have a lie down in a cool,
> shaded room, but which of us had this on our 2024 bingo card?
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> (Upstream xz/lzma project compromised, hostile code inserted into
> sshd in Debian sid and other leading edge distros.)
>

Hah! Most of us remember Heartbleed.

He's actually referring to credentials stored externally being
compromised. I'm not sure what can be done about that: maybe make some

I would think A Smith's comment here was directed to this interesting bit from the report he cited:

Given the activity over several weeks, the committer is either directly

involved or there was some quite severe compromise of their

system. Unfortunately the latter looks like the less likely explanation, given

they communicated on various lists about the "fixes" mentioned above.

End quote. The issue appears to be a bad actor masquerading as (or being) the real maintainer. There's no software-development or identity management solution to that, it has to be organizational. We're lucky to have software guys as sharp the one who caught this.

kind of, you know, law, about storing sensitive data, and prosecuting
people who are responsible for failure to keep it secure... nothing
like accountability for discouraging negligence.

--
Joe