Could the XZ backdoor been detected with better Git/Deb packaging practices?
a day ago
- #Debian
- #OpenSource
- #Security
- The discovery of a backdoor in XZ Utils in 2024 raised concerns about software supply chain security.
- The backdoor was detected due to a performance regression in SSH, leading to its quick removal from major Linux distributions.
- Key questions emerged about why packagers didn't notice anomalies in XZ versions 5.6.0/5.6.1 and the auditability of Linux distros' software supply chains.
- The article provides a methodology for auditing Debian packages, focusing on source code verification rather than binaries.
- Tools like debsnap, diffoscope, and git-buildpackage are recommended for downloading and comparing package versions.
- Verification of upstream and Debian sources using OpenPGP signatures and checksums is detailed.
- The article highlights the challenges of auditing repackaged upstream sources and the importance of git history in reviewing changes.
- The XZ backdoor's sophistication made it nearly undetectable, hidden in test files and Autotools scripts.
- Debian's current practices and policies may not be sufficient to detect similar backdoors, suggesting a need for better tooling and shared workflows.
- The article concludes that open source software remains more trustworthy than closed source, despite the challenges, due to its auditability.