Gary Buhrmaster wrote:
What I do think we should start with is look at the
list of dependencies in the list of whatever we
can agree are security critical packages (running
as root and opening network ports is always a
good start) and dependencies which are not
supported by a large-ish organization (even if
only informal), with a set of experienced
developers, and sufficiently funded to continue
support of the package, and has a good security
reporting and response process in place.
What if, as in the case of SELinux, said "large-ish organization" is exactly
the kind of organization one would expect to plant a backdoor like this?
Also, a "large-ish organization" can be secretly contacted by the
intelligence agencies of the country it resides in and tasked to implement
secret backdoors for them. It has happened with large proprietary software
providers, so why could it not happen with a large organization developing
Free Software?
Projects done by a "large-ish organization" are NOT immune to this kind of
attack. It would just be executed differently, not as a hostile takeover by
one "motivated new maintainer" as for an individual hobbyist project like
xz.
Kevin Kofler