diff options
| author | W. Kosior <koszko@koszko.org> | 2026-05-25 18:30:00 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2026-05-25 18:30:00 +0100 |
| commit | 0624feb2306b907646159cd99ef44f14ff8f0264 (patch) | |
| tree | f78c29fe081e10722bab2e734f7d0795569ec71b | |
| parent | 17280213af7ed27a4eff4d9fac438a691b547345 (diff) | |
| download | AGH-OS-security-magister.tar.gz AGH-OS-security-magister.zip | |
| -rw-r--r-- | lectures/10-software-repositories.org | 298 |
1 files changed, 298 insertions, 0 deletions
diff --git a/lectures/10-software-repositories.org b/lectures/10-software-repositories.org new file mode 100644 index 0000000..f791f16 --- /dev/null +++ b/lectures/10-software-repositories.org @@ -0,0 +1,298 @@ +#+title: Software Repositories +#+date: 2026-05-25 Mon +#+author: W. Kosior +#+email: wkosior@agh.edu.pl + +* Do you remember… +…the days of searching online for an installer for some piece of software? + +* Common Types of Software Distribution Channels +- OS distro repository + - e.g., repositories of Debian, RedHat, BSD Ports + - special cases: MSYS2, MacPorts + - third-party upstream → packages + - LTS / Bleeding Edge + - main threats: + - vulnerable packages not fixed in time + - human choosing another, less secure channel :( + +* Common Types of Software Distribution Channels, Cont. +- OS distro repository +- specialized software repository + - aka programming language-specific software repository + - some being cross-language + - e.g., PyPI, Maven, npm Registry + - programming libraries + - main threats: + - deliberate malware uploads + - dependency constraints blocking security updates + +* Common Types of Software Distribution Channels, Cont… +- OS distro repository +- specialized software repository +- software store + - e.g., Microsoft Store, Google Play, F-Droid + - applications + - rarely the builders (except F-Droid) + - main threats: + - bundled dependencies not updated + - deliberate malware uploads + +* Common Types of Software Distribution Channels, Cont… +- OS distro repository +- specialized software repository +- software store +- container image repository + - e.g., DockerHub + - special case: FlatHub (a software store at the same time) + - main threats: + - bundled dependencies not updates + - deliberate malware uploads + +* *Typical* Characteristics of Software Distribution Channels +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | + +* *Typical* Characteristics of Software Distribution Channels, Cont. +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | + +* *Typical* Characteristics of Software Distribution Channels, Cont… +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | +| source- or binary-based | varies | varies | binary | + +* *Typical* Characteristics of Software Distribution Channels, Cont… +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | +| source- or binary-based | varies | varies | binary | +| anyone can publish | no | yes | yes | +| author = uploader | rarely | usually | usually | + +* *Typical* Characteristics of Software Distribution Channels, Cont… +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | +| source- or binary-based | varies | varies | binary | +| anyone can publish | no | yes | yes | +| author = uploader | rarely | usually | usually | +| packages signed by | repo | repo | varies | + +* *Typical* Characteristics of Software Distribution Channels, Cont… +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | +| source- or binary-based | varies | varies | binary | +| anyone can publish | no | yes | yes | +| author = uploader | rarely | usually | usually | +| packages signed by | repo | repo | varies | +| pay to publish | no | no | sometimes | +| pay to download | no | no | sometimes | + +* *Typical* Characteristics of Software Distribution Channels, Cont… +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | +| source- or binary-based | varies | varies | binary | +| anyone can publish | no | yes | yes | +| author = uploader | rarely | usually | usually | +| packages signed by | repo | repo | varies | +| pay to publish | no | no | sometimes | +| pay to download | no | no | sometimes | +| security by patching (lts) | varies | sporadically | no | +| security by updating (be) | varies | yes | yes | + +* *Typical* Characteristics of Software Distribution Channels +| | OS distro repo | specialized repo | "store" | +|----------------------------+----------------+--------------------+--------------------| +| deps are separate packages | yes | yes | sometimes | +| package counts | <= several 10k | <= several million | <= several million | +| source- or binary-based | varies | varies | binary | +| anyone can publish | no | yes | yes | +| author = uploader | rarely | usually | usually | +| packages signed by | repo | repo | varies | +| pay to publish | no | no | sometimes | +| pay to download | no | no | sometimes | +| security by patching (lts) | varies | sporadically | no | +| security by updating (be) | varies | yes | yes | +| targets | users&devs | mostly devs | mostly users | + +* LTS vs Bleeding Edge +- always get newest versions of software + - "rolling release", aka "bleeding edge" + - Arch, Fedora Rawhide, OpenSUSE Tumbleween, Debian Unstable, etc. + - vulnerabilities → update to newer version + +* LTS vs Bleeding Edge, Cont. +- always get newest versions of software + - "rolling release", aka "bleeding edge" + - Arch, Fedora Rawhide, OpenSUSE Tumbleween, Debian Unstable, etc. + - vulnerabilities → update to newer version +- what about stability? + - snapshot current software versions + - use snapshotted version for the next X years + - exceptions + - "stable release", aka "LTS" + - Debian, openSUSE Leap, Fedora + - vulnerabilities → patch the old version + - or use LTS updates when offered by upstream + +* LTS in Debian +- Debian Unstable — bleeding edge versions +- Debian Testing + - snapshot of Debian Unstable + - kept for a few months to stabilize +- Debian Stable + - made from Debian Testing +- oldstable + - made from Stable once a new Stable kicks in + - still receives security fixes for some time + +* Patch or Update? +- updating + - less work + - the only viable option for, e.g., Mozilla browsers +- patching + - number of vulnerabilities *only decreases* :) + +* XZ Backdoor +- Backdoor targeting SSH daemons + - Debian, Ubuntu, Fedora, et al +- through XZ compression library +- backdoored XZ source release tarball + - built by distros +- detected in Debian Unstable in 2024 + - before getting to Stable + - already included in, e.g., openSUSE Tumbleweed +- https://i.kym-cdn.com/photos/images/original/002/785/376/4db.png + +* From Source to Installed software +- security guidance (OWASP et al) → SBoM + - far from enough! + - just what we *think* is in our system +- https://slsa.dev/spec/v1.2/threats-overview + - decent categorization ;) +- distro software → securable (with some shortcomings) +- specialized repo software → hard to secure deps +- container images (DockerHub) → hard to secure deps + +* The Bazaar Model +- "The Cathedral and the Bazaar" + - essay by Eric S. Raymond + - 1997 +- two free/libre software development models +- "given enough eyeballs, all bugs are shallow" + - blobs in source :( + - distro with guidelines → + - → higher hygiene → + - → smaller attack surface + +* Who Builds It? +- author? + - typical npm package → hundreds dependencies + - (including recursive and dev deps) + - hundreds of developer PCs + - how hard is it to compromise at least one? +- repo? + - required distro resources + - rebuildability → required higher packaging hygiene + - a good thing, actually +- "trusted" third party? + - provenance attestation + - Github Actions + - GitLab CI/CD + - lock-in :( +- end machine (source-based distribution)? + +* Builds by Repo — nuances +- Debian — binary uploads used sporadically (e.g., backports) +- F-Droid — developer signature or repo signature? + +* Build Machine — SPOF +- SolarWinds (Sunburst) backdoor +- reproducible builds (future lecture) + +* Hidden Dependencies +- build container security + - what GitHub Actions' Ubuntu image had inside at build time? +- downloaded deps & other files + - we downloaded a web browser as part of automated tests + - was it not compromised? + - remedies + - verification with a hash? + - mandate network-less builds? + +* VCS vs Release Tarballs +- tarballs: traditional form + - scripts pre-generated by maintainer (Autotools) + - typically PGP-signed + - modified tarballs + - e.g., Debian FSDG compliance +- version control system + - commits can be PGP-signed + - does not include =configure= from Autoconf, etc. + - may not be rebuildable + - signed commits/tags possible +- XZ backdoor + - fewer eyeballs look into tarballs + - *please build from VCS* 🥺 + +* Repository → Machine +- signed package lists + - offline search + - not archived in, e.g., Debian + - downgrade attack possibility? +- online querying + - specialized (aka language-specific) repos +- repo public key used +- distributon major version update? + - subsequent LTS public keys distributed in old + +* Sample Package Formats — Debian (=control= file) +#+begin_src +Source: python-immutables +Maintainer: John Smith <js@example.org> +Section: devel +Priority: optional +Standards-Version: 4.3.0 +Build-Depends: debhelper (>= 11), dh-python, python3-all-dev (>= 3.6), + python3-setuptools (>= 45), +# also add test dependencies + python3-pytest, python3-pytest-flake8, python3-mypy + +Package: python3-immutables +Architecture: all +Depends: ${python3:Depends}, ${misc:Depends} +X-Python3-Version: >= 3.6 +Description: an immutable mapping type for Python + This library provides an immutable alternative to Python's native 'dict'. + The data structure used if Hash Array Mapped Trie (HAMT) which is also utilized + by some functional languages. +#+end_src + +* Sample Package Formats — Debian (=rules= file) +#+begin_src +#! /usr/bin/make -f + +# Immutables debian/rules file + +#export DH_VERBOSE = 1 +export PYBUILD_NAME = immutables +export PYBUILD_TEST_PYTEST = 1 + +%: + MYPYPATH=$$(pwd) dh $@ --with python3 --buildsystem=pybuild +#+end_src + +* Extra: XZ Backdoor Presentation +- https://git.koszko.org/AGH-xz-backdoor-presentation/ |