It would be great if you guys could add info about supply chain attacks at https://www.privacyguides.org/en/basics/common-threats/, there are some info about it here but specific to AUR.
Any community contribution would be greatly appreciated 
.
I think the passive attack section does partly imply supply chain threats
When it comes to application security, we generally donât (and sometimes canât) know if the software we use is malicious, or might one day become malicious.
But making it more explicit would be good, I agree.
Iâve heard open source security people say its a rabbit hole with no visible end right now.
I think it could have its own section and have been working on a PR in this regard.
Itâs an important issue, especially with software these days having a lot of external dependencies.
We see some articles about it for modern tooling:
- How Go Mitigates Supply Chain Attacks - The Go Programming Language
- Node's Security Problem
- Build a More Secure Web using npm with Deno
- Rust Foundation - Improving Supply Chain Security for Rust Through Artifact Signing
- Supply-chain attack hits RubyGems repository with 725 malicious packages | Ars Technica
- NPM supply-chain attack impacts hundreds of websites and apps
- No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages | Mandiant
- Malware Found in Arch Linux AUR Package Repository
- Report for vulnerabilities in Oh My Zsh (2021-11-12) ¡ Issue #10414 ¡ ohmyzsh/ohmyzsh ¡ GitHub
We also see some examples of that in:
One of the most famous ones in the past was the patches that Debian applied to openssl random number generator CVE-2008-0166. Iâm not sure whether malicious intent was ever proven like with the XZ vulnerability eg (purposefully obfuscated code).
I donât know what is plausible mitigation for a fundamentally cultural/economical problem.
The XZ developer had flagged mental health issues and was desperate for extra assistance on the project, yet you canât find a company server or linux distro that wasnât happily relying on it for its core infrastructure regardless.
You canât sandbox something like XZ properly.
Make the threat explicit by all means, people should be aware of it, but I think the end result is another âwhy botherâ reflex for people aiming to take control of their privacy. The fact is these factors are largely outside of your control.
Imo, the larger the list, the easier it is for someone new to this space to decide that it is futile.
3 Likes
We wouldnât be adding those links to the page, that was more for this discussion thread.
With the site we try to write content that does not rely on external sources to explain itself.
The recommendation we would make to readers is to not necessarily install a bunch of obscure apps on their devices thus reducing the space in which one of those developers could maliciously introduce something.
Perhaps we could make some suggestions to people who are curious such as with open source software, looking to see how many maintainers an app has and how long theyâve been around for. If a piece of software is developed by a largish company then there is likely to be more people involved and less chance of something being âslippedâ in there.
Unfortunately it can never be mitigated entirely.
I had something like this in mind:
https://kerkour.com/backdoored-dependencies-and-supply-chain-attacks
Supply chain attacks and the many different ways Iâve backdoored your dependencies