|
| 1 | +--- |
| 2 | +title: "The XZ Backdoor and Wasmtime" |
| 3 | +author: "Nick Fitzgerald" |
| 4 | +github_name: "fitzgen" |
| 5 | +--- |
| 6 | + |
| 7 | +We are aware that the account responsible for the recent [XZ backdoor] |
| 8 | +contributed a documentation-only [pull request] to [Wasmtime], however |
| 9 | +Wasmtime's safety remains intact. We have reviewed the pull request in detail |
| 10 | +and confirmed that it only modified a single markdown file, and contained no |
| 11 | +changes to source code, build systems, or binaries. Furthermore, the |
| 12 | +documentation was not altered in such a way that it could trick unsuspecting |
| 13 | +readers into sabotaging themselves. |
| 14 | + |
| 15 | +We [believe] that fine-grained sandboxing and capabilities-based security can |
| 16 | +strengthen our collective security posture against backdoors and other [supply |
| 17 | +chain attacks]. That is why we are investing in standardizing and implementing |
| 18 | +technologies like WebAssembly's [component model] and [WASI]. |
| 19 | + |
| 20 | +We take [security and correctness] extremely seriously in the Wasmtime |
| 21 | +project. Our secure development practices include: |
| 22 | + |
| 23 | +* A safe-by-default implementation language |
| 24 | +* Dependency auditing with [`cargo vet`] |
| 25 | +* Ubiquitous fuzzing |
| 26 | +* Formal verification |
| 27 | + |
| 28 | +We believe that this is the minimum you should demand from a WebAssembly |
| 29 | +runtime. We are constantly trying to raise this bar and further strengthen |
| 30 | +Wasmtime's security and correctness assurances. |
| 31 | + |
| 32 | +Follow [these guidelines] if you think you may have discovered a |
| 33 | +security vulnerability in Wasmtime or any other Bytecode Alliance project. |
| 34 | + |
| 35 | +[XZ backdoor]: https://en.wikipedia.org/wiki/XZ_Utils_backdoor |
| 36 | +[pull request]: https://github.com/bytecodealliance/wasmtime/pull/6839 |
| 37 | +[Wasmtime]: https://wasmtime.dev/ |
| 38 | +[security and correctness]: https://bytecodealliance.org/articles/security-and-correctness-in-wasmtime |
| 39 | +[these guidelines]: https://bytecodealliance.org/security#reporting-a-security-bug-in-a-bytecode-alliance-project |
| 40 | +[believe]: https://bytecodealliance.org/about |
| 41 | +[supply chain attacks]: https://en.wikipedia.org/wiki/Supply_chain_attack |
| 42 | +[component model]: https://component-model.bytecodealliance.org/ |
| 43 | +[WASI]: https://wasi.dev/ |
| 44 | +[`cargo vet`]: https://mozilla.github.io/cargo-vet/ |
0 commit comments