> The OpenSSH project is careful about not taking on unnecessary dependencies, but Debian was not as careful. That distribution patched sshd to link against libsystemd, which in turn linked against a variety of compression packages, including xz's liblzma. Debian's relaxing of sshd's dependency posture was a key enabler for the attack, as well as the reason its impact was limited to Debian-based systems such as Debian, Ubuntu, and Fedora, avoiding other distributions such as Arch, Gentoo, and NixOS.

Does Fedora use Debian's patch set for sshd, or a similar patch set that adds libsystemd?

Edit: It looks like Fedora wasn't affected because the backdoor triggered a valgrind test failure, so they shipped it with a flag that disabled the functionality that was backdoored. Seems like they lucked out. https://lists.fedoraproject.org/archives/list/devel@lists.fe...

A very well-written piece. The section on funding open source is as relevant as it's ever been, and I don't think we've learnt much since last year.

As the proportion of younger engineers contributing to open-source decreases (a reasonable choice, given the state of the economy), I see only two future possibilities:

1. Big corporations take ownership of key open-source libraries in an effort to continue their development.

2. Said key open-source libraries die, and corporations develop proprietary replacements for their own use. The open source scene remains alive, but with a much smaller influence.

From Linux Security Summit 2019, a retrospective on mandatory access control and bounding "damage that can be caused by flawed or malicious applications" in Android, iOS, macOS, Linux, FreeBSD and Zephyr, https://static.sched.com/hosted_files/lssna19/e5/LSS2019-Ret...

  For the past 26 years, the speaker has been engaged in the design, implementation, technology transfer, and application of flexible Mandatory Access Control (MAC). In this talk, he describes the history and lessons learned from this body of work. The background and motivation for MAC is first presented, followed by a discussion of how a flexible MAC architecture was created and matured through a series of research systems. The work to bring this architecture to mainstream systems is then described, along with how the architecture and implementation evolved. The experience with applying this architecture to mobile platforms is examined. The role of MAC in a larger system architecture is reviewed in the context of a secure virtualization system. The state of MAC in mainstream systems is compared before and after our work. Work to bring MAC to emerging operating systems is discussed.

video: https://www.youtube.com/watch?v=AKWFbxbsU3o

One of my struggles is to get docker to lockdown which images it loads. I'd like to only pull from my own blessed registry and it seems Docker wants to always go back to theirs.

For other "package" managers (eg: CPAN, Debian) I can point to my own archive and be sure everything I manage down stream gets the blessed bits.

I basically have a huge archive/mirror for the supply chain for my perl, PHP, JavaScript, etc.

If anyone has pro tips on how to "lock" docker to one registry that would be cool.

A lovely article, but one section definitely needs a [citation needed]

> (OpenSSL is written in C, so this mistake was incredibly easy to make and miss; in a memory-safe language with proper bounds checking, it would have been nearly impossible.)

    package main

    import "fmt"

    type CmdType int

    const (
        WriteMsg CmdType = iota
        ReadMsg
    )

    type Cmd struct {
        t CmdType
        d []byte
        l int
    }

    var buffer [256]byte

    var cmds = []Cmd{
        Cmd{WriteMsg, []byte("Rain. And a little ice. It's a damn good thing he doesn't know how much I hate his guts."), 88},
        Cmd{WriteMsg, []byte("Rain. And a little ice."), 23},
        Cmd{ReadMsg, nil, 23},
        Cmd{ReadMsg, nil, 88}, // oops!
    }

    func main() {
        for c := range cmds {
            if cmds[c].t == WriteMsg {
                copy(buffer[:], cmds[c].d[:cmds[c].l])
            } else if cmds[c].t == ReadMsg {
                fmt.Println(string(buffer[:cmds[c].l]))
            }
        }
    }

The heartbleed problem was that user-controlled input could say how long it was, separate from how long it actually was. OpenSSL then copied the (short) thing into a buffer, but returned the (long) thing, thus revealing all sorts of other data it was keeping in the same buffer.

It wasn't caught because OpenSSL had built its own buffer/memory management routines on top of the actual ones provided by the language (malloc, memcpy, realloc, free), and all sorts of unsafe manipulations were happening inside one big buffer. That buffer could be in a language with perfect memory safety, the same flaw would still be there.