cross-posted from: https://sh.itjust.works/post/62361303
Hello good people.
Is no one afraid of Bazzites auto updating nature?
I am myself worried about the potential for well timed supply chain attacks from wherever they build their OS images, which somehow build malicious images or just gets itself into the normal image builds and we auto update to.
Is this an unfounded worry? Does anyone know of the security measures in place to prevent attacks?
Auto update just feels weird to me, especially for something like my OS. I’m asking because I went and installed it and realised auto updating seems to be their philosophy… which is scary?
p.s. i couldnt find anyone online discussing this
Thonks
This is a fair question to ask given recent events. I don’t run Fedora currently, so others could probably give a much more exact answer, but from what I understand of it:
Bazzite is built on top of Fedora with uBlue. To compromise one of the packages, the attacker would have to bypass the Fedora enterprise team who are rage filled roid-driven experts who don’t take kindly to that sort of thing. They heavily secure their stuff. Even if an attack was successful, it would have little lasting effect because of immutability and having access to easy rollbacks.
It’s not impossible (like somehow stealing Bazzite’s keys), but it’s incredibly unlikely. AUR/NPM package sketchiness is not anywhere on the same level as compromising Fedora’s keys.
You’re forgetting that Universal Blue doesn’t just ship Fedora stuff.
They include stuff from Homebrew and Flathub out of the box.
Homebrew shipped the backdoored xz library while (by luck) Fedora stable didn’t.
Thanks for your answer. I have a lot of trust with Fedora, I guess I am more worried specifically about bazzites build process potentially being exploited. Sounding like I am being extra paranoid with Bazzite for maybe no reason