Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20240428003506.87cd6009-f57c-4c78-8503-1b917a8c558c@korelogic.com>
Date: Sun, 28 Apr 2024 00:45:34 -0600
From: Hank Leininger <hlein@...elogic.com>
To: oss-security@...ts.openwall.com
Subject: Re: Update on the distro-backdoor-scanner effort

On 2024-04-28, Morten Linderud wrote:
> On Fri, Apr 26, 2024 at 02:06:16PM -0600, Hank Leininger wrote:
> >   - ~11k EndeavourOS/Arch packages

> Please just write Arch packages. There is no upstream collaboration
> from Endeavour on those 11k packages.

That's fair enough; I rather was attempting to indicate which distro
from a family we used, "~11k Arch packages (on EndeavourOS)", similar to
testing on Rocky as a representative of the RPM ecosystem, etc. We did
not analyze any AUR packages (yet? seems like we could, and if we could
we should).

These same corpuses will be used for continued m4 analysis; so far we've
only done the m4 spelunking on Gentoo.

That reminds me, we did not specify what release-trains we tested for
each; our goal was to pick one that had (or had had, and been rolled
back) a backdoored xz-utils version (5.6.0 / 5.6.1) if we could:

- Debian sid

- EndeavourOS 2024.01.25

- Gentoo as-of 2024-04-18

- Rocky 9.3

Thanks,

-- 

Hank Leininger <hlein@...elogic.com>
8428 ED14 5268 C727 0C48  F454 846F 0637 5FEB 1612

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.