Shut down the ability to distribute fake "source code" in releases

[AngryLoki]

Select Topic Area

General

Body

Hi Team,

Earlier on on github.blog it was announced that

If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads.

Unfortunately, this decision caused probably the biggest supply chain attack in the history known as XZ Utils backdoor.

This attack was multistage, but in reality only one step was important - ability to distribute modified blob with seemingly autogenerated code, which was patched manually. The other changes didn't make any difference. When JiaT75 uploaded modified archive, the whole security model was broken and all other ifunc or landlock-related changes could be patched directly in archive.

From this point of view, the timeline of attack was:

1. On January 30, 2023, GitHub deployed a change which slightly altered the compression settings on source code downloads. This caused checksum mismatches on .tar.gz files, breaking packaging systems in multiple distributions.
2. On February 21, 2023, GitHub published an announcement, asserting that only assets which were uploaded to GitHub are guaranteed to have the same checksum, while the real git-based source code might change checksum in a long term. This has caused many distributions to lose their mechanism for obtaining real source code, as checksum might eventually break.
3. On February 24, 2024, Jia Tan publishes an xz-5.6.0.tar.gz distribution with an extra, malicious code that adds the backdoor when building a deb/rpm package. And while every distribution had autotools for building autogenerate code, nobody was able to download git code in the first place.
4. On March 28, 2024, the backdoor was discovered.

GitHub's actions had a significant impact on the success of this attack. In my opinion, this cannot go unanswered. I would like to ask the GitHub team to publish a response post to this attack, with these key points:

1. GitHub guarantees the stability of checksums for automatically generated archives published as releases.
2. GitHub emphasizes the importance of distinguishing between source code and additional artifacts that may contain arbitrary injections.

In the end, any appearance of some arbitrarily attached archive with supposedly autogenerated source code should be subconsciously rejected by all maintainers, thus generating a responsible attitude to security and stopping such attacks at the root.

Thank you in advance!

[bjorn3]

AFAIK the autogenerated source tarballs are missing git submodules, without which many projects won't build at all, so for these projects the autogenerated source tarballs are useless even if they are guaranteed to keep the same hash forever.

[AngryLoki]

@bjorn3 , GitHub team can respond to this too and provide "full download" link for releases. But it should start at least with ability to download a single-repo reliably.

[aaron888hacker]

Yeah, you're right.