Eleven years ago a 10,000 ton meteor produced a 400 kiloton blast at 97,000’ above Chelyabinsk, resulting in almost 1,500 injuries. This 60’ rock got everyone paying attention to things, like the 1,200’ asteroid Apophis 99942 that periodically menaces Earth.
Linux had a similar event this month.
I’m going to try to keep this from being excruciatingly technical. Here goes.
Linux programs are comprised of the program itself and all but the simplest ones use external libraries. We call these things “shared object” files on Linux, while Windows refers to them as DLLs (dynamic link libraries). Apple computers have something like this, too, but they’re so sleek and stylish it’s considered impolite to name them.
Linux has a dozen or more file compression utilities including a very popular option called XZ Utils. This package was subject to a supply chain attack that became known on March 29th. A long term infiltrator name Jia Tan spent two years doing good work on the application, then kinked it in such a fashion as to create a back door in any system running sshd remote access software that used liblzma.
Now the entire Linux world is aflame, hunting for other similar instances. This is an absolutely terrible time for this to happen, as at some point during the month of April Ubuntu 24.04 will be released, replacing 22.04 as the long term supported version. Legions of Linux systems are about to update globally.
There are three different interlocking reasons why I’m just casually sitting here writing this. They all have to do with my having the overall discipline needed to provide services in a “hot” environment. The rest of the world is likely doing a concerned at this time.
Conclusion:
This is not the first FOSS supply chain problem we’ve seen, it’s just extraordinarily bad in terms of the scope of the exposure. We need to clone Theo de Raadt a hundred times over and then dispatch them to go through Linux the way OpenBSD is done.
But that wouldn’t work politically even if we could manage the biology of it. Even so, I expect we’re about to see a burst of interest in code review, perhaps even some fundamental changes in the area.