[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Comments on the recent XZ attack
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2024-04-10 21:58:27
Message-ID: 9D6DC599-1C32-481F-9444-93F331862BDF () deployingradius ! com
[Download RAW message or body]

  The recent XZ back door (https://www.openwall.com/lists/oss-security/2024/03/29/4) \
highlighted issues with supply chain attacks on Open Source projects.

  The curl library has recently had a statement from its maintainer \
(https://daniel.haxx.se/blog/2024/04/10/verified-curl/).  I thought we should do the \
same.

  At FreeRADIUS, we take these attacks seriously, and have a number of measures in \
place to protect the source code.

- Signed commits and releases

  Only a very small number of people have commit access to the git repo.  These are \
people I've known for over a decade, and who I've met personally.  The only way to \
get commit access is to be personally verified, and to be trusted, and to have a \
history of good code.

  All commits by the maintainers are PGP signed.  Occasionally we merge GitHub PRs \
from third parties which aren't PGP signed.  Those patches are only allowed if they \
can be trivially verified to be correct.

  We also PGP sign the release tarballs.  Those files are generated internally on \
secure machines, and not on public-facing systems.

- Generated files

  All autoconf generated files are committed to the source repository.  This decision \
was made at the start of the FreeRADIUS project, and hasn't changed since.

  I recognize that this is largely an ideological issue.  Many people believe that \
"generated files shouldn't be in git".  I disagree strongly.  The files are small and \
tracking them in git allows anyone to trivially check for manually mangled releases \
as was done in the XZ attack.  On a similar note, see the Curl article for comments \
on "we're creating a docker file so that people can verify the generated files are \
correct".

  I believe it's simpler for everyone concerned to just commit the generated files.  \
We then don't need to create docker images, or do anything else to verify that the \
generated files are correct: The files are in git, and are PGP signed.

- Testing and Public PRs

  All releases are run through in-depth tests.  We use static analysis tools to find \
a large number of problems.  The git "master" branch has automated fuzzers which run \
every night.

  Any PRs from unknown people have to pass all of the tests in order to be committed. \
In many cases, the FreeRADIUS team rewrites the commit ourselves, and then closes the \
PR.  This process helps keep the code clean, and safe.

- Independence and Overload

  The XZ maintainer was vulnerable to social attacks due to being only one person, \
and being overloaded with work.  At that point, it is tempting to bring new / unknown \
people on board to help.

  In contrast, FreeRADIUS has a business behind it: Network RADIUS.  The company is \
operating well, and has a number of people to help share the work load.  We are not \
going to be running out of engineering resources any time soon.

- Conclusion

  As a result of all of the above, we believe that we are doing everything in our \
power to keep FreeRADIUS safe.  The possibility of a supply-chain attack is very low, \
and we are aggressively watching for such attacks.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]