How secure is launchpad?

Asked by Jeff Silverman

How secure is launchpad? How secure is open source software in general?

Suppose a bad actor were to submit a change to a relatively inactive project, how would it generally become known?

We accept axiomatically that open source software is intrinsically more reliable than closed source software. I accept this axiom myself. However, with the Solar Winds fiasco and now Kaseya, I think we have to assume that there is an open source software supply chain. It isn't clear to me how secure that supply chain is.

The scenario I am thinking of is that somebody creates some useful software, say, a library. Then, for some reason, that software is no longer maintained by the author. Somebody else comes along, creates an untraceable account, and submits an evil patch. How would that become known. I'm not asking about catching the bad actor, although that would be nice, it is necessary and sufficient that the evil patch be detected and everybody who downloaded it gets notified.

This question is not really specific to launchpad. Every public repository of open source software, launchpad, github, pypi, cpan, they are all vulnerable - I think - I am not quite sure.

This is not really the same question as #65878.

The reason I am raising the question here is that I can see how a possible answer could really devastate the open source movement and I do not want that.

Question information

English Edit question
Launchpad itself Edit question
No assignee Edit question
Solved by:
Colin Watson
Last query:
Last reply:
Revision history for this message
Best Colin Watson (cjwatson) said :

We have a number of measures in place to try to encourage good practice and make it possible to trace compromises. For instance:

 * supply chain issues are one of the reasons why package builds in Launchpad are only allowed to build from other resources in Launchpad and not download things from the internet at large;
 * we encourage code review and put a lot of work into linking between bugs, merge proposals, equivalent bugs on other sites, CVEs, and so on in order to make it as easy as possible to check the provenance of patches;
 * we have always refused to distribute binaries in Launchpad-managed archives that aren't built from source in Launchpad, which ensures that it's possible to trace back from a compromised binary to the source code modification that introduced it;
 * we're very careful to ensure that everything built in Launchpad has a robust audit trail;
 * in Ubuntu, we require security reviews for new packages shipped as part of the "main" component, and it's also reasonably common (both in Debian and Ubuntu) for packagers to build personal relationships with upstream maintainers and also to pay at least some attention to the differences between successive upstream versions.

However, that's only a partial answer to your question, because ultimately the only way to spot this sort of thing is going to involve somebody actually auditing code. I think the remaining parts of your question are essentially an open research topic rather than something we can really answer completely as site staff.

Revision history for this message
Jeff Silverman (jeffsilverm) said :

Colin, thank you for your very thoughtful response. It was, more or less, the answer I was expecting. But I just had to ask.