Security

A simple typo of ghcr.io to ghrc.io would normally be a small goof. You’d typically get a 404 or similar error, finally work out the issue, fix it, and move along. But in this case, that typo appears to be doing something very malicious, stealing your credentials. What’s ghcr.io? First, a quick bit of background. ghcr.io is an OCI conformant registry for container images and OCI artifacts used by a lot of projects. When tools are configured to access it, they often do so with credentials to access private content or to push content. And that happens using the OCI APIs and the token auth workflow currently defined by the distribution project. ...

The financial industry has a concept of “know your customer” to prevent financial fraud. The concept is that fraudsters do not want transactions linked back to their identity. There’s a similar push happening in Open Source security, to verify the identities of contributors before allowing their commits. The suggestion is that this could prevent an xz style attack by requiring in person verification, such as a pgp key signing meeting. ...

Reproducible builds are an idealistic solution to many supply chain security challenges I see today. They eliminate an entire chain of attacks, from a compromised build infrastructure (see SolarWinds) to a compromised artifact distribution. But they are only a piece of the solution, and they are rarely implemented today. Here’s my take on what a complete solution would look like, and why no one is doing it. Theoretical Solution An end-to-end solution needs multiple checks at each point along the software deliver path. The goal is to eliminate any single point that can be compromised in the build pipeline. ...