I bet that you use software packages that are built and authored on systems that have systemd+sshd, though.

What happens if development or build machines belong to people who control projects that you trust and have been compromised?

Do you use a web browser? Do you use a graphical desktop environment? Are the machines those guys use vulnerable? Are the developers of the libraries that they depend on vulnerable?

Remember, this guy was attacking a downstream project (sshd) by compromising and signing source in a specific tarball of a library – the malicious code never made it into git – used by an unrelated piece of software (systemd) that some distros, not even the ssh guys, happened to link into sshd’s memory space. He’s trying to compromise unrelated software via elaborate supply chain attacks.

We’ve had a lot of trust among open-source projects, where people just kind of assume that people are doing the right thing, but there are some very, very large places where a potential attacker might manage to get maintainership of a library, if they’re willing to spend a long time slowly getting access.

I’d figured that one day, we’d have a really big apocalypse that would cause some of that to break down, and we’d lose our innocence and have to do things differently.

I mean, let’s say that I’m an important security researcher, and I use R, a common statistical tool, nothing directly to do with security. That pulls in all kinds of libraries from various online statistics archives, and the people working on those aren’t really security people, probably generally don’t know how to vet things effectively even if they wanted to do so. Perl and Python and other tools have similar things. If someone can target that security researcher using that, could be nothing more than an intentionally-induced parsing bug in a library they use, then they can get things like that researcher’s private keys, maybe get ahold of signing keys for software packages and the like.

And in the xz case, it looks like social engineering efforts were used against both the maintainer and packagers. The open-source community has a lot of well-meaning strangers collaborating in good faith, built on a lot of trust extended, and they aimed to exploit that.

All of the problems get a lot harder to deal with when it’s someone willing to spend a lot of time and use sophisticated tactics.

Wow

And for a state sponsored attacker is cheaper to bribe (or threaten to kill, even cheaper) the single developer to add a backdoor than all the research to find a zero day