In case you missed it, grafana leaked their package signing key AND the passphrase. This has not been loud enough: https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
Conversation
Notices
-
Embed this notice
James Tucker (raggi@don.rag.pub)'s status on Tuesday, 29-Aug-2023 15:03:22 JST 
James Tucker
-
Embed this notice
Matt Palmer (womble@infosec.exchange)'s status on Tuesday, 29-Aug-2023 22:24:43 JST 
Matt Palmer
@raggi that blog post is rather conspicuously missing a section entitled "how in the name of flying fudge pickles did this happen?!?"
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 22:52:37 JST 
feld
hahahaha this is amazing -
Embed this notice
feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 22:53:46 JST
feld
I was wondering the same thing. I'm either deploying it from source (FreeBSD) or Docker on Linux -
Embed this notice
cpli (cpli@chaos.social)'s status on Tuesday, 29-Aug-2023 22:53:56 JST 
cpli
@womble @raggi
hopefully this isn't received as crass.you people use their binary distributions?
-
Embed this notice
Matt Palmer (womble@infosec.exchange)'s status on Tuesday, 29-Aug-2023 22:53:57 JST
Matt Palmer
@raggi yes, the degree of exposure is an important element in the risk analysis.
-
Embed this notice
James Tucker (raggi@don.rag.pub)'s status on Tuesday, 29-Aug-2023 22:53:59 JST
James Tucker
@womble I mean I’d like to know that, but the thing I would love to know even more is: exposed where? There’s a huge difference between “we logged it to our s3 logs bucket” and “we committed it to a public git repo” and where on this gradient it is really matters to me as a user
-
Embed this notice
feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 23:41:14 JST
feld
Ok, so it's pretty clear they can't be trusted to manage their own Debian package repos.
But they don't manage the infra around Docker hub. If they were publicizing their own Docker container registry it might be more concerning, but we have to assume that their keys to push to Docker hub are OK.
But then if we don't trust that? What do we trust? Can we even trust their own Git repos? Maybe not if it's their own self-hosted Gitlab (+ the built in Docker registry as previously mentioned). But their code is on Github. Do we trust that? If not, where do you get the source from?
How far do you want to take it? -
Embed this notice
Pete Wright (pete_wright@nlogic.systems)'s status on Tuesday, 29-Aug-2023 23:41:15 JST 
Pete Wright
@raggi @cpli @feld @womble imho I wouldn’t trust their docker images either, I mean if they mess up managing repos this badly I’m not sure I’d trust them to create a Linux container either. That’s a lot of trust to give to a third party 🤷♂️ -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 07-Sep-2023 06:12:56 JST 
Haelwenn /элвэн/ :triskell:
@feld @cpli @raggi @womble @pete_wright Packaging from source source and checking tarball diffs (say via pkgdiff) should be getting usual at this point. feld likes this.
-
Embed this notice
All GNU social JP content and data are available under the