Closed WrathfulSpatula closed 5 months ago
Everyone will be happy to hear me say it: this was a false alarm (even if I'm glad I investigated it). My research gathers that the January release of CUDA toolkit seems to use /usr/local
. Notwithstanding... I, personally, am uninstalling it, for security reasons, explained above.
I discovered yesterday that, maybe since February, I have been linking Qrack against a version of OpenCL that was installed in
/usr/local
instead of/usr
. The issue was flagged by the Debian packaging tools, since the/usr/local
version of OpenCL in the isolated build environment was not in my Debian manifest, when I attempted to update the Qrack Ubuntu PPA. Call me "nuts" (apologies): in a UNIX(-like) operating system, this would have been worrisome in 1980, and today is no different.System packages (like from Canonical Launchpad, for Ubuntu) go in
/usr
;/usr/local
is reserved for "local" software, like when installing locally from source./usr/local
isn't necessarily as secure, by design, since users should have the control to install the software they want (or that they develop for themselves) on *NIX operating systems. When one installs OpenCL from an Ubuntu system package (or the official, signed CUDA installer), it should go in/usr
, not/usr/local
: it's that simple.Finding the installation in
/usr/local
could be evidence of a "supply-chain attack." My local copy of OpenCL would have been linked into the Qrack releases, in this period. I would advise extreme caution and discernment in installing pre-compiled binary versions of Qrack from this period.Notably, the Ubuntu PPA itself theoretically is not affected (unless its source code was surreptitiously modified on my compromised machine, though the source itself is provided by the packages, which users can inspect). It provides a source package that installed its dependencies (OpenCL and
libc
, to memory) on the remote and secure Launchpad servers, directly from the official Canonical Ubuntu PPAs.I am working on a plan to recover the security of my local build environments. (Among other steps, this will likely entail reinstalling Ubuntu entirely, but this step might not be sufficient in itself.) When my operating systems are reasonably secure, I intend to publish new releases of all packaged Qrack binaries. The progress will be tracked in this issue ticket.
For now, consider limiting installations to Qrack releases prior to February 3rd, or use the Ubuntu PPA.