this post was submitted on 09 Apr 2024
309 points (98.7% liked)
Linux
48375 readers
1001 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is not a good argument imo. It was a miracle that xz vulnerability was found so fast, and should not be assumed as standard. The developer had been contributing to the codebase for 2 years, and their code already landed in debian stable iirc. There's still no certainty that that code had no vulnerabilities. Some vulnerabilities in the past were caught decades after their introduction.
Its not a miracle it is just probability. When you have enough eyes on something you are bound to catch bugs and problems.
Debian holds back because its primary goal is to be stable, reliable and consistent. It has been around longer that pretty much everything else and it can run for decades without issue. I read a article about a university that still had the original Debian install from the 90's. It was on newer hardware but they just copied over the files.
Lots of eyes is not enough. As I mentioned earlier, there are many popular programs found on most machines, and some actually user facing (unlike xz) where vulnerabilities were caught months, years, and sometimes decades later. xz is an exception, not a rule.
I was running 12 stable on a machine that had been updated and upgraded in between the time when the backdoor was introduced and when it was discovered. At no point in time did either dpkg query or the self report show that system had the affected 5.6.0(?) version.
Stable had versions of xz that contained commits from the attacker and has been walked back to before those were made out of an abundance of caution.
There’s a lot of eyes on that software now and I haven’t seen anyone report that versions between the attacker gaining commit rights and the attacked version were compromised yet, as you said though: that doesn’t mean it isn’t and vulnerabilities have existed for many years without being discovered.
As to whether it’s a good argument, vulnerabilities have a short lifespan generally. Just hanging back and waiting a little while for something to crop up is usually enough to avoid them. If you don’t believe me, check the nist database.
I’m gonna sound like a goober here, but the easiest way to not trip is to slow down and look where you’re going.