Conversation

Notices

1. Embed this notice
   James Tucker (raggi@don.rag.pub)'s status on Tuesday, 29-Aug-2023 15:03:22 JST James Tucker

   In case you missed it, grafana leaked their package signing key AND the passphrase. This has not been loud enough: https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/

   • Embed this notice
     Matt Palmer (womble@infosec.exchange)'s status on Tuesday, 29-Aug-2023 22:24:43 JST Matt Palmer

     in reply to

     @raggi that blog post is rather conspicuously missing a section entitled "how in the name of flying fudge pickles did this happen?!?"

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 22:52:37 JST feld

     in reply to
     hahahaha this is amazing
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 22:53:46 JST feld

     in reply to

     • Matt Palmer
     • cpli
     I was wondering the same thing. I'm either deploying it from source (FreeBSD) or Docker on Linux
   • Embed this notice
     cpli (cpli@chaos.social)'s status on Tuesday, 29-Aug-2023 22:53:56 JST cpli

     in reply to

     • Matt Palmer

     @womble @raggi
     hopefully this isn't received as crass.

     you people use their binary distributions?

   • Embed this notice
     Matt Palmer (womble@infosec.exchange)'s status on Tuesday, 29-Aug-2023 22:53:57 JST Matt Palmer

     in reply to

     @raggi yes, the degree of exposure is an important element in the risk analysis.

   • Embed this notice
     James Tucker (raggi@don.rag.pub)'s status on Tuesday, 29-Aug-2023 22:53:59 JST James Tucker

     in reply to

     • Matt Palmer

     @womble I mean I’d like to know that, but the thing I would love to know even more is: exposed where? There’s a huge difference between “we logged it to our s3 logs bucket” and “we committed it to a public git repo” and where on this gradient it is really matters to me as a user

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 23:41:14 JST feld

     in reply to

     • Matt Palmer
     • Pete Wright
     • cpli
     Ok, so it's pretty clear they can't be trusted to manage their own Debian package repos.
     
     But they don't manage the infra around Docker hub. If they were publicizing their own Docker container registry it might be more concerning, but we have to assume that their keys to push to Docker hub are OK.
     
     But then if we don't trust that? What do we trust? Can we even trust their own Git repos? Maybe not if it's their own self-hosted Gitlab (+ the built in Docker registry as previously mentioned). But their code is on Github. Do we trust that? If not, where do you get the source from?
     
     How far do you want to take it?
   • Embed this notice
     Pete Wright (pete_wright@nlogic.systems)'s status on Tuesday, 29-Aug-2023 23:41:15 JST Pete Wright

     in reply to

     • feld
     • Matt Palmer
     • cpli
     @raggi @cpli @feld @womble imho I wouldn’t trust their docker images either, I mean if they mess up managing repos this badly I’m not sure I’d trust them to create a Linux container either. That’s a lot of trust to give to a third party 🤷♂️
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 07-Sep-2023 06:12:56 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • feld
     • Matt Palmer
     • Pete Wright
     • cpli
     @feld @cpli @raggi @womble @pete_wright Packaging from source source and checking tarball diffs (say via pkgdiff) should be getting usual at this point.
     feld likes this.