Supply Chain Attacks on Linux Distributions – Fedora Pagure

Note: This article is part of a series on the security of the infrastructure of Linux distributions—don’t forget to read our introduction if you haven’t done it already! This is a guest blogpost by friend of Fenrisk, Thomas Chauchefoin. Why Pagure? As discussed in the meta-article, we picked Pagure from the Fedora Apps Directory and already had a technical approach in mind. A software forge is likely to be a good target for an argument injection: we can expect the backend to shell out even when libgit2 bindings are used. In addition, this is a self-service application, in the sense that anyone can create a Fedora contributor account and gain authenticated access to various services. For instance, this allows users to report packaging issues and contribute back directly on Pagure. Fedora packages are made of several text files, for instance in the case of OpenSSH: A spec file, describing upstream sources, dependencies, build steps, patches to apply, e.g. openssh.spec . . So ... Read full article.