Last year, I had a few weeks between jobs and decided to look at the infrastructure security of random Linux distributions with the good friends at Fenrisk.

We ended up getting code execution on the Fedora Git forge hosting all package sources and on the Open Build Service instance of openSUSE. Nothing technically fancy (the usual silly argument injection bugs), but we could have effectively backdoored all their packages :°)

We finally presented the details last week at @1ns0mn1h4ck: https://fenrisk.com/assets/media/Don't%20let%20Jia%20Tan%20have%20all%20the%20fun_%20hacking%20into%20Fedora%20and%20OpenSUSE.pdf.

Also now available on the blog:
- Our approach: https://fenrisk.com/supply-chain-attacks
- Pagure: https://fenrisk.com/pagure
- OBS: https://fenrisk.com/open-build-service

Big kudos to distro maintainers, this was one of the most efficient disclosures of my life!

(now let's do kernel.org?)

@swapgs @1ns0mn1h4ck wow...

@swapgs @1ns0mn1h4ck cool stuff ✊

@swapgs @1ns0mn1h4ck Awesome stuff

@swapgs @1ns0mn1h4ck Free infra assessment? Yes please. Just give me a heads-up first. :)

@monsieuricon Will do! In this case we did a PoC locally and reached out to maintainers before testing on staging, I think that’s the best way to proceed.

@swapgs This talk may help -- it's about things we've thought about. https://www.youtube.com/watch?v=K3SVt1WCheY