<div dir="ltr"><div dir="ltr">On Sat, Apr 6, 2024 at 1:43 AM Heiko Becker <<a href="mailto:heiko.becker@kde.org">heiko.becker@kde.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Friday, 5 April 2024 12:04:28 CEST, Albert Vaca Cintora wrote:<br>
> It seems a lot of people feel conservative in favor of tarballs, so<br>
> maybe I aimed too far. At least I think the discussion brought some<br>
> interesting points that we can explore further. Some I identified:<br>
><br>
> - The tarballs should contain no changes with respect to git, or<br>
> minimal changes obviously justifiable in a diff.<br>
<br>
Like I wrote earlier in this thread, this should hold true already since <br>
the translations are synced to git.<br></blockquote><div><br></div><div>I would consider any tarball that contains modified files (ie. is not a one to one representation of the git tag it represents) to be invalid for the purposes of KDE project releases.</div><div>Now that translations are synced into our Git repositories there is no reason why we should have differences.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> - Tarballs should only be generated in a reproducible manner using<br>
> scripts. Ideally by the CI only.<br>
> - We should start to sign tarballs in the CI.<br>
<br>
The scripts already exists for the bundles and users of releasme. Letting <br>
the CI create tarballs seems indeed like a good way to reduce possibilities <br>
of human tampering.<br>
With regard to signing: At first I thought that it means something that the <br>
person responsible for the release is also signing the tarballs. But maybe <br>
there could even be two signatures in the future, one by CI and one by the <br>
release person (although that would probably mean a few challenges for the <br>
tooling).<br>
<br>
> - We should start to sign commits and tags. Git recently made this<br>
> super easy by allowing signing with the ssh keys that we all are<br>
> already using to push things, so no excuses for not enabling this.<br>
<br>
We already sign commits for the 3 release bundles and users of relaseme.<br>
<br>
But I'm surprised about the total absence of social aspects of the xz <br>
incidence during this discussion.<br>
Admittedly we fall back to community maintenance if a maintainer becomes <br>
unavailable, so the exact xz scenario doesn't seem likely. But there are <br>
probably a few projects on the fringes. Do we have safeguards in place if a <br>
nefarious person tries to steps up as maintainer? Can we do something to <br>
help projects, which are struggling?<br></blockquote><div><br></div><div>This is really the key issue at hand. </div><div><br></div><div>If you look at the timeline in question, the malicious actor(s) in the XZ incident moved slowly, starting as a general contributor, accruing trust and eventually made their way up to getting maintainer access and the ability to make releases.</div><div><br></div><div>Even with the various checks and balances we have in place around granting developer accounts, who gets permissions to update our websites, requiring people to go through tickets to publish releases on <a href="http://download.kde.org">download.kde.org</a>, etc. a similar kind of attack played out over a long enough period of time is still one that none of our technological protections would be able to stop - as people who have been long term contributors and have worked their way up to being a maintainer will tend to obtain the necessary permission or trust of those with permissions.</div><div><br></div><div>Such attacks however will always fail when confronted with enough sunlight however, something that Linus' law of "with enough eyes all bugs are shallow" covers fairly well. </div><div>To adequately protect ourselves we need to ensure that projects that only have 1 or 2 maintainers, as well as those that are "community maintained" are monitored (historically a function that kde-commits@ has filled).</div><div><br></div><div>There is also something to be said that for larger projects such as ours (ie. the ones who are targets) that we should also be keeping an eye on the smaller libraries that we depend on - as while we may be too hard to attack it is much easier to attack those we depend on who don't have the same resources we do (which is basically what happened with XZ/OpenSSH).</div><div><br></div><div>These would be projects with just one or two maintainers with fairly infrequent activity, and that are often located in a maintainers personal namespace on GitHub or Gitlab.com, or on personal hosting of their own. Examples of projects in this sort of space would be the likes of QtKeychain or kColorPicker (just picking two that immediately spring to mind), but there is no reason that shouldn't also cover non-Qt libraries. There are probably a couple of different options we could explore in this space as to how to best accomplish this.</div><div><br></div><div>We should also consider whether it is acceptable for us to depend on any project that uses a build system that is either bespoke or not modern (ie. autotools, self-written bash scripts, etc) - as that was a significant contributor to how the XZ attack was able to be perpetrated. My vote would be that it is not acceptable and we should be strongly pushing any project that does not use a modern build system to migrate to one that is.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Regards,<br>
Heiko<br></blockquote><div><br></div><div>Cheers,</div><div>Ben </div></div></div>