Linux Distros Need To Take More Responsibility For Security
Arthur T Knackerbracket has processed the following story:
Most enterprises have gotten very mature at network and perimeter security, but are still juvenile in their understanding and workflow around open source provenance and software supply chain security. Hackers have shifted their attention towards not only the security of individual open source projects themselves, but the gaps between software artifacts: their transitive dependencies and the build systems they touch.
We need to fix this, and the way to do so is arguably not at the individual project level but rather at the level of the distribution.
Basically open source got much more popular, and the front door got harder to break into so attackers are targeting the back door," said Dan Lorenc, CEO and cofounder at Chainguard, in an interview. Bad actors, in other words, needn't target your code. They can attack one of the dependencies you didn't even know you had.
The cost of open source popularity is that a lot of the mechanisms of trust never really got built in at the onset. Linux (and other) distributions have played a critical role in the adoption of open source historically by doing a lot of the heavy lifting of packaging, building, and signing open source. Distros like Debian, Alpine, or Gentoo have well-deserved reputations as authorities, so users didn't have to trust all open source blindly and got some guardrail guarantees.
But the pace of new open source packages being introduced has far exceeded the ability of distros to keep up. Even a single popular registry (like npm for JavaScript) gets more than 10,000 new packages per day. This basic mismatch between the pace of new open source technology and the relatively glacial speed of the distros results in developers going outside of the distros. They're installing packages to get the latest and greatest as fast as possible but losing trust guarantees in the process.
It's not that distributions have intentionally slowed the pace of progress; rather, they have to balance update speed with distribution stability. Still, given developer impatience, the distributions need to figure out how to accelerate updates and thereby keep better pace with the rampant adoption and security upkeep of open source software.
The Common Vulnerability Scoring System (CVSS) and other signals, such as the OpenSSF Scorecard offer great metrics on specific vulnerabilities and their severity. But modern operating system distributions ship with so many packages preinstalled that the average OS is flush with these vulnerabilities. If your car's check engine light were on all of the time, how would you know when you actually needed to see your mechanic? The prevalence of vulnerabilities is so great across Linux distributions they've become easy to ignore.
Read more of this story at SoylentNews.