[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Comments on the recent XZ attack
From: Alan DeKok <aland () deployingradius ! com>
Date: 2024-04-10 21:58:27
Message-ID: 9D6DC599-1C32-481F-9444-93F331862BDF () deployingradius ! com
[Download RAW message or body]
The recent XZ back door (https://www.openwall.com/lists/oss-security/2024/03/29/4) \
highlighted issues with supply chain attacks on Open Source projects.
The curl library has recently had a statement from its maintainer \
(https://daniel.haxx.se/blog/2024/04/10/verified-curl/). I thought we should do the \
same.
At FreeRADIUS, we take these attacks seriously, and have a number of measures in \
place to protect the source code.
- Signed commits and releases
Only a very small number of people have commit access to the git repo. These are \
people I've known for over a decade, and who I've met personally. The only way to \
get commit access is to be personally verified, and to be trusted, and to have a \
history of good code.
All commits by the maintainers are PGP signed. Occasionally we merge GitHub PRs \
from third parties which aren't PGP signed. Those patches are only allowed if they \
can be trivially verified to be correct.
We also PGP sign the release tarballs. Those files are generated internally on \
secure machines, and not on public-facing systems.
- Generated files
All autoconf generated files are committed to the source repository. This decision \
was made at the start of the FreeRADIUS project, and hasn't changed since.
I recognize that this is largely an ideological issue. Many people believe that \
"generated files shouldn't be in git". I disagree strongly. The files are small and \
tracking them in git allows anyone to trivially check for manually mangled releases \
as was done in the XZ attack. On a similar note, see the Curl article for comments \
on "we're creating a docker file so that people can verify the generated files are \
correct".
I believe it's simpler for everyone concerned to just commit the generated files. \
We then don't need to create docker images, or do anything else to verify that the \
generated files are correct: The files are in git, and are PGP signed.
- Testing and Public PRs
All releases are run through in-depth tests. We use static analysis tools to find \
a large number of problems. The git "master" branch has automated fuzzers which run \
every night.
Any PRs from unknown people have to pass all of the tests in order to be committed. \
In many cases, the FreeRADIUS team rewrites the commit ourselves, and then closes the \
PR. This process helps keep the code clean, and safe.
- Independence and Overload
The XZ maintainer was vulnerable to social attacks due to being only one person, \
and being overloaded with work. At that point, it is tempting to bring new / unknown \
people on board to help.
In contrast, FreeRADIUS has a business behind it: Network RADIUS. The company is \
operating well, and has a number of people to help share the work load. We are not \
going to be running out of engineering resources any time soon.
- Conclusion
As a result of all of the above, we believe that we are doing everything in our \
power to keep FreeRADIUS safe. The possibility of a supply-chain attack is very low, \
and we are aggressively watching for such attacks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic