Re: Update on the distro-backdoor-scanner effort

[Hank Leininger <hlein () korelogic com>]

On 2024-04-28, Morten Linderud wrote:
> On Fri, Apr 26, 2024 at 02:06:16PM -0600, Hank Leininger wrote:
> >   - ~11k EndeavourOS/Arch packages

> Please just write Arch packages. There is no upstream collaboration
> from Endeavour on those 11k packages.

That's fair enough; I rather was attempting to indicate which distro
from a family we used, "~11k Arch packages (on EndeavourOS)", similar to
testing on Rocky as a representative of the RPM ecosystem, etc. We did
not analyze any AUR packages (yet? seems like we could, and if we could
we should).

These same corpuses will be used for continued m4 analysis; so far we've
only done the m4 spelunking on Gentoo.

That reminds me, we did not specify what release-trains we tested for
each; our goal was to pick one that had (or had had, and been rolled
back) a backdoored xz-utils version (5.6.0 / 5.6.1) if we could:

- Debian sid

- EndeavourOS 2024.01.25

- Gentoo as-of 2024-04-18

- Rocky 9.3

Thanks,

-- 

Hank Leininger <hlein () korelogic com>
8428 ED14 5268 C727 0C48  F454 846F 0637 5FEB 1612

Attachment: signature.asc
Description: Digital signature