Josh Bressers

16 hours ago

Josh Bressers
16 hours ago

This week on #OpenSourceSecurity I talk to @ottok about his blog post about detecting an attack like xz in Debian

It's a fascinating conversation about a very complicated topic

There are things that could be detected, but this one would have been very very difficult

opensourcesecurity.io/2025/202…

Detecting XZ in Debian with Otto Kekäläinen

In this episode, Josh and Otto dive into the world of Debian packaging, exploring the challenges of supply chain security and the importance of transparency in open source projects.

^{Josh Bressers (Open Source Security)}

#opensourcesecurity @Otto

in reply to Josh Bressers

daniel:// stenberg://

in reply to Josh Bressers 16 hours ago

one thing we finally made real in #curl as a direct consequence of the xz attack was reproducible builds. Since the xz release added things into the release that did not come from autotools nor git, verifying reproducible builds would have caught that. Having that in place forces attackers to land their backdoor in git to be able to ship it, which should increase the bar significantly.

#curl

in reply to daniel:// stenberg://

Josh Bressers

in reply to daniel:// stenberg:// 16 hours ago

@bagder
This is a good point

It's of course extra hard in the distro world as using release source tarballs is still super common

But building out of git instead of a release is probably a future end state

@daniel:// stenberg://

in reply to Josh Bressers

daniel:// stenberg://

in reply to Josh Bressers 16 hours ago

yeah, in the #curl case I hope and wish that the people making the curl packages for distros (or build curl for other purposes) do the reproducible check - so that they know for sure that the one doing the curl releases didn't smuggle anything in. It also usually also requires that a few people do it and can trigger the alarm if they would find something odd.

At least we make it possible.

#curl

in reply to Josh Bressers

daniel:// stenberg://

in reply to Josh Bressers 16 hours ago

building from git means building without autotools on every single platform and would mean I would have to use cmake on a daily basis which would drive me nuts. So not likely to happen anytime soon in curl 😃

in reply to daniel:// stenberg://

Otto

in reply to daniel:// stenberg:// 14 hours ago

@bagder There are also many projects not using git. The plain files collection (tarball) will remain as the lowest common denominator for a long time. Anyway the build change could have also been committed to git just like the new test files were. Doing it in only the tarball was just one layer of extra obscurity, not really the key here.

@daniel:// stenberg://

in reply to Otto

daniel:// stenberg://

in reply to Otto 13 hours ago

I think it was part of the key for the xz attack. The git repository gets wider exposure and review by the public - that was avoided by injecting the files directly into the tarball.

⇧

Josh Bressers 16 hours ago • •

Josh Bressers
16 hours ago