Build-related fixes are only treating the symptoms, not the disease. The real fi... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mac-chaffee on March 30, 2024 \| parent \| context \| favorite \| on: Backdoor in upstream xz/liblzma leading to SSH ser... Build-related fixes are only treating the symptoms, not the disease. The real fix would be better sandboxing and capability-based security[1] built into major OSes which make backdoors a lot less useful. Why does a compression library have the ability to "install an audit hook into the dynamic linker" or anything else that isn't compressing data? No amount of SBOMs, reproducible builds, code signing, or banning binaries will change the fact that one mistake anywhere in the stack has a huge blast radius. [1]: https://en.wikipedia.org/wiki/Capability-based_security

mkleczek on March 30, 2024 | [–]

That's why I always raise concerns about JEP 411 - removal of SecurityManager from Java without any replacement.

someguydave on March 30, 2024 | [–]

Just ban autotools

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact