Comments on the recent XZ attack

Alan DeKok aland at deployingradius.com
Wed Apr 10 22:00:56 UTC 2024 

  The recent XZ back door (https://www.openwall.com/lists/oss-security/2024/03/29/4) highlighted issues with supply chain attacks on Open Source projects.

  The curl library has recently had a statement from its maintainer (https://daniel.haxx.se/blog/2024/04/10/verified-curl/).  I thought we should do the same.

  At FreeRADIUS, we take these attacks seriously, and have a number of measures in place to protect the source code.

- Signed commits and releases

  Only a very small number of people have commit access to the git repo.  These are people I've known for over a decade, and who I've met personally.  The only way to get commit access is to be personally verified, and to be trusted, and to have a history of good code.

  All commits by the maintainers are PGP signed.  Occasionally we merge GitHub PRs from third parties which aren't PGP signed.  Those patches are only allowed if they can be trivially verified to be correct.

  We also PGP sign the release tarballs.  Those files are generated internally on secure machines, and not on public-facing systems.

- Generated files

  All autoconf generated files are committed to the source repository.  This decision was made at the start of the FreeRADIUS project, and hasn't changed since.

  I recognize that this is largely an ideological issue.  Many people believe that "generated files shouldn't be in git".  I disagree strongly.  The files are small and tracking them in git allows anyone to trivially check for manually mangled releases as was done in the XZ attack.  On a similar note, see the Curl article for comments on "we're creating a docker file so that people can verify the generated files are correct".

  I believe it's simpler for everyone concerned to just commit the generated files.  We then don't need to create docker images, or do anything else to verify that the generated files are correct: The files are in git, and are PGP signed.

- Testing and Public PRs

  All releases are run through in-depth tests.  We use static analysis tools to find a large number of problems.  The git "master" branch has automated fuzzers which run every night.

  Any PRs from unknown people have to pass all of the tests in order to be committed.  In many cases, the FreeRADIUS team rewrites the commit ourselves, and then closes the PR.  This process helps keep the code clean, and safe.

- Independence and Overload

  The XZ maintainer was vulnerable to social attacks due to being only one person, and being overloaded with work.  At that point, it is tempting to bring new / unknown people on board to help.

  In contrast, FreeRADIUS has a business behind it: Network RADIUS.  The company is operating well, and has a number of people to help share the work load.  We are not going to be running out of engineering resources any time soon.

- Conclusion

  As a result of all of the above, we believe that we are doing everything in our power to keep FreeRADIUS safe.  The possibility of a supply-chain attack is very low, and we are aggressively watching for such attacks.

  Alan DeKok.

More information about the Freeradius-Users mailing list