summaryrefslogtreecommitdiff
path: root/lectures/10-software-repositories.org
diff options
context:
space:
mode:
authorW. Kosior <koszko@koszko.org>2026-05-25 18:30:00 +0100
committerW. Kosior <koszko@koszko.org>2026-05-25 18:30:00 +0100
commit0624feb2306b907646159cd99ef44f14ff8f0264 (patch)
treef78c29fe081e10722bab2e734f7d0795569ec71b /lectures/10-software-repositories.org
parent17280213af7ed27a4eff4d9fac438a691b547345 (diff)
downloadAGH-OS-security-magister.tar.gz
AGH-OS-security-magister.zip
Add lecture `10-software-repositories'.HEADmagister
Diffstat (limited to 'lectures/10-software-repositories.org')
-rw-r--r--lectures/10-software-repositories.org298
1 files changed, 298 insertions, 0 deletions
diff --git a/lectures/10-software-repositories.org b/lectures/10-software-repositories.org
new file mode 100644
index 0000000..f791f16
--- /dev/null
+++ b/lectures/10-software-repositories.org
@@ -0,0 +1,298 @@
+#+title: Software Repositories
+#+date: 2026-05-25 Mon
+#+author: W. Kosior
+#+email: wkosior@agh.edu.pl
+
+* Do you remember…
+…the days of searching online for an installer for some piece of software?
+
+* Common Types of Software Distribution Channels
+- OS distro repository
+ - e.g., repositories of Debian, RedHat, BSD Ports
+ - special cases: MSYS2, MacPorts
+ - third-party upstream → packages
+ - LTS / Bleeding Edge
+ - main threats:
+ - vulnerable packages not fixed in time
+ - human choosing another, less secure channel :(
+
+* Common Types of Software Distribution Channels, Cont.
+- OS distro repository
+- specialized software repository
+ - aka programming language-specific software repository
+ - some being cross-language
+ - e.g., PyPI, Maven, npm Registry
+ - programming libraries
+ - main threats:
+ - deliberate malware uploads
+ - dependency constraints blocking security updates
+
+* Common Types of Software Distribution Channels, Cont…
+- OS distro repository
+- specialized software repository
+- software store
+ - e.g., Microsoft Store, Google Play, F-Droid
+ - applications
+ - rarely the builders (except F-Droid)
+ - main threats:
+ - bundled dependencies not updated
+ - deliberate malware uploads
+
+* Common Types of Software Distribution Channels, Cont…
+- OS distro repository
+- specialized software repository
+- software store
+- container image repository
+ - e.g., DockerHub
+ - special case: FlatHub (a software store at the same time)
+ - main threats:
+ - bundled dependencies not updates
+ - deliberate malware uploads
+
+* *Typical* Characteristics of Software Distribution Channels
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+
+* *Typical* Characteristics of Software Distribution Channels, Cont.
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+
+* *Typical* Characteristics of Software Distribution Channels, Cont…
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+| source- or binary-based | varies | varies | binary |
+
+* *Typical* Characteristics of Software Distribution Channels, Cont…
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+| source- or binary-based | varies | varies | binary |
+| anyone can publish | no | yes | yes |
+| author = uploader | rarely | usually | usually |
+
+* *Typical* Characteristics of Software Distribution Channels, Cont…
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+| source- or binary-based | varies | varies | binary |
+| anyone can publish | no | yes | yes |
+| author = uploader | rarely | usually | usually |
+| packages signed by | repo | repo | varies |
+
+* *Typical* Characteristics of Software Distribution Channels, Cont…
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+| source- or binary-based | varies | varies | binary |
+| anyone can publish | no | yes | yes |
+| author = uploader | rarely | usually | usually |
+| packages signed by | repo | repo | varies |
+| pay to publish | no | no | sometimes |
+| pay to download | no | no | sometimes |
+
+* *Typical* Characteristics of Software Distribution Channels, Cont…
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+| source- or binary-based | varies | varies | binary |
+| anyone can publish | no | yes | yes |
+| author = uploader | rarely | usually | usually |
+| packages signed by | repo | repo | varies |
+| pay to publish | no | no | sometimes |
+| pay to download | no | no | sometimes |
+| security by patching (lts) | varies | sporadically | no |
+| security by updating (be) | varies | yes | yes |
+
+* *Typical* Characteristics of Software Distribution Channels
+| | OS distro repo | specialized repo | "store" |
+|----------------------------+​----------------+​--------------------+--------------------|
+| deps are separate packages | yes | yes | sometimes |
+| package counts | <= several 10k | <= several million | <= several million |
+| source- or binary-based | varies | varies | binary |
+| anyone can publish | no | yes | yes |
+| author = uploader | rarely | usually | usually |
+| packages signed by | repo | repo | varies |
+| pay to publish | no | no | sometimes |
+| pay to download | no | no | sometimes |
+| security by patching (lts) | varies | sporadically | no |
+| security by updating (be) | varies | yes | yes |
+| targets | users&devs | mostly devs | mostly users |
+
+* LTS vs Bleeding Edge
+- always get newest versions of software
+ - "rolling release", aka "bleeding edge"
+ - Arch, Fedora Rawhide, OpenSUSE Tumbleween, Debian Unstable, etc.
+ - vulnerabilities → update to newer version
+
+* LTS vs Bleeding Edge, Cont.
+- always get newest versions of software
+ - "rolling release", aka "bleeding edge"
+ - Arch, Fedora Rawhide, OpenSUSE Tumbleween, Debian Unstable, etc.
+ - vulnerabilities → update to newer version
+- what about stability?
+ - snapshot current software versions
+ - use snapshotted version for the next X years
+ - exceptions
+ - "stable release", aka "LTS"
+ - Debian, openSUSE Leap, Fedora
+ - vulnerabilities → patch the old version
+ - or use LTS updates when offered by upstream
+
+* LTS in Debian
+- Debian Unstable — bleeding edge versions
+- Debian Testing
+ - snapshot of Debian Unstable
+ - kept for a few months to stabilize
+- Debian Stable
+ - made from Debian Testing
+- oldstable
+ - made from Stable once a new Stable kicks in
+ - still receives security fixes for some time
+
+* Patch or Update?
+- updating
+ - less work
+ - the only viable option for, e.g., Mozilla browsers
+- patching
+ - number of vulnerabilities *only decreases* :)
+
+* XZ Backdoor
+- Backdoor targeting SSH daemons
+ - Debian, Ubuntu, Fedora, et al
+- through XZ compression library
+- backdoored XZ source release tarball
+ - built by distros
+- detected in Debian Unstable in 2024
+ - before getting to Stable
+ - already included in, e.g., openSUSE Tumbleweed
+- https://i.kym-cdn.com/photos/images/original/002/785/376/4db.png
+
+* From Source to Installed software
+- security guidance (OWASP et al) → SBoM
+ - far from enough!
+ - just what we *think* is in our system
+- https://slsa.dev/spec/v1.2/threats-overview
+ - decent categorization ;)
+- distro software → securable (with some shortcomings)
+- specialized repo software → hard to secure deps
+- container images (DockerHub) → hard to secure deps
+
+* The Bazaar Model
+- "The Cathedral and the Bazaar"
+ - essay by Eric S. Raymond
+ - 1997
+- two free/libre software development models
+- "given enough eyeballs, all bugs are shallow"
+ - blobs in source :(
+ - distro with guidelines →
+ - → higher hygiene →
+ - → smaller attack surface
+
+* Who Builds It?
+- author?
+ - typical npm package → hundreds dependencies
+ - (including recursive and dev deps)
+ - hundreds of developer PCs
+ - how hard is it to compromise at least one?
+- repo?
+ - required distro resources
+ - rebuildability → required higher packaging hygiene
+ - a good thing, actually
+- "trusted" third party?
+ - provenance attestation
+ - Github Actions
+ - GitLab CI/CD
+ - lock-in :(
+- end machine (source-based distribution)?
+
+* Builds by Repo — nuances
+- Debian — binary uploads used sporadically (e.g., backports)
+- F-Droid — developer signature or repo signature?
+
+* Build Machine — SPOF
+- SolarWinds (Sunburst) backdoor
+- reproducible builds (future lecture)
+
+* Hidden Dependencies
+- build container security
+ - what GitHub Actions' Ubuntu image had inside at build time?
+- downloaded deps & other files
+ - we downloaded a web browser as part of automated tests
+ - was it not compromised?
+ - remedies
+ - verification with a hash?
+ - mandate network-less builds?
+
+* VCS vs Release Tarballs
+- tarballs: traditional form
+ - scripts pre-generated by maintainer (Autotools)
+ - typically PGP-signed
+ - modified tarballs
+ - e.g., Debian FSDG compliance
+- version control system
+ - commits can be PGP-signed
+ - does not include =configure= from Autoconf, etc.
+ - may not be rebuildable
+ - signed commits/tags possible
+- XZ backdoor
+ - fewer eyeballs look into tarballs
+ - *please build from VCS* 🥺
+
+* Repository → Machine
+- signed package lists
+ - offline search
+ - not archived in, e.g., Debian
+ - downgrade attack possibility?
+- online querying
+ - specialized (aka language-specific) repos
+- repo public key used
+- distributon major version update?
+ - subsequent LTS public keys distributed in old
+
+* Sample Package Formats — Debian (=control= file)
+#+begin_src
+Source: python-immutables
+Maintainer: John Smith <js@example.org>
+Section: devel
+Priority: optional
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 11), dh-python, python3-all-dev (>= 3.6),
+ python3-setuptools (>= 45),
+# also add test dependencies
+ python3-pytest, python3-pytest-flake8, python3-mypy
+
+Package: python3-immutables
+Architecture: all
+Depends: ${python3:Depends}, ${misc:Depends}
+X-Python3-Version: >= 3.6
+Description: an immutable mapping type for Python
+ This library provides an immutable alternative to Python's native 'dict'.
+ The data structure used if Hash Array Mapped Trie (HAMT) which is also utilized
+ by some functional languages.
+#+end_src
+
+* Sample Package Formats — Debian (=rules= file)
+#+begin_src
+#! /usr/bin/make -f
+
+# Immutables debian/rules file
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = immutables
+export PYBUILD_TEST_PYTEST = 1
+
+%:
+ MYPYPATH=$$(pwd) dh $@ --with python3 --buildsystem=pybuild
+#+end_src
+
+* Extra: XZ Backdoor Presentation
+- https://git.koszko.org/AGH-xz-backdoor-presentation/
generated by cgit