[conspire] xz exploit and backdoor

Rick Moen rick at linuxmafia.com
Fri Apr 5 00:11:22 PDT 2024 

Quoting Ron / BCLUG (admin at bclug.ca):

> Ya got me wondering - after the ¿HeartBleed? ssh vulnerability a while
> back, there was talk of moving to something like LibreSSH from OpenBSD
> due to the convoluted codebase of OpenSSH.
> 
> That hasn't happened, that I'm aware.
> 
> Anyone know what happened - a major code refactor? A re-badging of
> LibreSSH?  A collective amnesia allowing us to continue on without
> awaking in the middle of the night, screaming in a cold sweat?

I'm going to have to frame this as a question, because I honestly don't
know:  Did LibreSSH ever even happen at all?  I find no traces of a
codebase, just people about a decade ago speaking of it in (perhaps)
theoretical terms.

A decade ago was about when the OpenBSD Foundation got so sick and tired
of OpenSSL problems that they created the pared-down LibreSSL fork,
which was a very good idea and is quite meritorious.  But LibreSSH?  I 
haven't found it actually having come about, or at least if it did it
seems to have vanished without a trace.

A propos of nothing, a long time ago, I maintained the canonical (well,
most comprehensive) catalogue of all known SSH implementations for all
platforms, but I haven't seriously maintained it for long years.
http://linuxmafia.com/ssh/ 

By contrast, I mention Dropbear and wolfSSH because they _arguably_ have
some of the traits I seek:  Both are spare in their feature sets, in
part because both have a niche in embedded use.  Both have a possibly
concerning drawback, of a thin maintainer base.  (See: xz-utils.)

Both are actively maintained -- but one must be careful to not
overinterpret last-released dates.  Sometimes, a codebase is so-called
"unmaintained" because nothing about it has needed maintenance in a long
time, the classic example being procmail, which from the cynic's
perspective is unmaintained and has no upstream.  From a non-cynical
perspective, though, it's finished and doesn't need work.

That happy state is more likely in a modestly scoped codebase than a
complex, featureful one, of course.
 
> I'm rather hesitant to install what I often call "boutique" software
> - something created, often from a fork of a larger project, to
> scratch some itch.

That can go either way.  It could be a one-off stunt that ends up having
no future, _or_ it could become a variant with many fans and enough good
maintainer because of the particular differences, a with LibreSSL in
relation to the unloved spaghetti-code OpenSSL codebase.

> Always wary that the maintainers can keep up to the security issues
> in a timely manner.

You bet.  With the complicating factor that, if the particular
difference is one of decomplication and risk-reduction, then
lackadaisical maintenance becomes much less of a problem because, 
with reasonable luck, problems will become less urgent and less
frequent.

A subcare of that is a persistent fork performed via a modest changeset, 
the example I have in mind being the ungoogled-chromium Web browser.
It's thinly maintained and not all that often re-released, but OTOH 
since it consists primarily of a set of patches to strip Google, Inc.
corporate crud from Chromium, and those patches finesse away a lot of
the problematic bits of Chromium, the urgency and frequency of needed
re-releases goes down.

Here's what I recently wrote about that on Mastodon:



@kurtsh (About
https://www.npr.org/2024/04/01/1242019127/google-incognito-mode-settlement-search-history:)
I've saying people for ages that Google Chrome being from a surveillance
capitalism firm is a red flag, but, as usual, some people are slow
learners.

Since 2015, pseudonymous developer "Eloston" and a small number of
others have removed the code for Google-specific Web services from
Chrome's open-source base browser Chromium, replaced Google's binary
BLOBs, added configuration flags missing from Chrome, and in general
applied a patchset to remove corporate embuggerment -- as persistent
fork "ungoogled-chromium".

It's the lightest-weight, most privacy-preserving, Web browser based on
the underlying Chromium (V8, Blink) browser on all OS platforms.  On the
minus side, ungoogled-chromium developer support is concerningly thin
(and pseudonymous), a risk factor your colleague Andres Freund
(@AndresFreundTec), the hero of the year, recently reminded us of.  

Details for the curious:  

https://en.wikipedia.org/wiki/Ungoogled-chromium
https://www.youtube.com/watch?v=sTLRLawI3s

More information about the conspire mailing list