[conspire] xz exploit and backdoor

Ivan Sergio Borgonovo mail at webthatworks.it
Fri Apr 5 16:46:38 PDT 2024 


On 4/5/24 8:30 PM, Rick Moen wrote:
> Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):
> 
>> On 4/5/24 6:40 AM, Rick Moen wrote:
>>
>>> Getting back to distro software choice and packaging:  The "every
>>> possible use-case must be supported out of the box" syndrome is
>>> dispiritingly ubiquitous.  Some stuff is compiled into a daemon binary
>>> even though almost nobody will use it, just because someone might.
>>> Why is Apache httpd almost always the default, rather than Lighttpd,
>>> nginx, sthttpd, or Hiawatha?  Because its big dumb software that does
>>> everything, that everyone's used to.
>>>
>>> $FIRM ran Apache httpd, but many PCIDSS complaints got finessed by
>>> sending them our conffiles where various buggy features were
>>> specifically disabled.

>> Because you don't get rid of complexity, you just move it somewhere else.

> I respectfully disagree.  Sometimes, you can actually strip complexity
> from an existing codebase in the field, either by local configuration
> change, or by local reconfiguration/recompile from a source package,
> with the aim and result of substantially reducing the attack surface.

So you agree with me, but you don't want too. You're moving know-how and 
complexity from one domain to another ;)

Unless you're saying that administering systems comes for free and 
requires no knowledge.

Of course as I said... the best "solution" depends on the stake holders.

Eg. you may write bloated software because someone is in a hurry or have 
to sell it... but you may write complex software just because the 
problem is complex.

The need of certain features may change in time... some protocols may 
have been abandoned etc... but even good software like postfix comes 
with a lot of features that are rarely used or make sense just in 
certain circumstances. Compiling it yourself just to reduce attack 
surface will make things more complicated, hard to manage etc... doesn't 
come for free and it has its own draw backs even in terms of security.

Then of course there is good software and bad software as there is good 
administration and bad administration. But knowing which is which again 
doesn't come for free... it could be cheap to know and understand... or 
it may not be.

Again there is a quite large overlap between the reasons you chose a 
package and the way I chose a library...

-- 
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net

More information about the conspire mailing list