From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=6My0=LG=maskray.me=i@sourceware.org>
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10olkn2045.outbound.protection.outlook.com [40.92.40.45])
	by sourceware.org (Postfix) with ESMTPS id A47283858D28
	for <binutils@sourceware.org>; Mon,  1 Apr 2024 07:29:00 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A47283858D28
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=maskray.me
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=maskray.me
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A47283858D28
Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=40.92.40.45
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1711956543; cv=pass;
	b=ZXY3S/EuNHM7C2R6ujVfI3xa7O88wJNVwAx4oCeiaK5Jz9gbNfRCj9XFcaT5oNlaxahiDGn8ClQs/pobJ8MeDkNDY5t9ETdSVm7rh0Szopcq6sEHBqmqcrn9KTCYDJy8I+4dyZ+HIXVqPhQrG5pVfZLAQHtRdvDhbDB4BkRF128=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1711956543; c=relaxed/simple;
	bh=bNgGtDo/WaRG5z0+vgMgTdamfwgze8+Uus4eBlxyR8Y=;
	h=From:Date:Message-ID:Subject:To:MIME-Version; b=MnMmMVJP8WE3GiVUMrZwcHRLY0IHoHxvF2onN99b3yLu1G+X2renDDdkqWvkZX5FrOVhbMY0P8rEsUefGOhzvJ98AE3cRzd4VtA1pD3DTtCzkg23Ij644hYU5ak5doIHSPrlQ6/aMrgJga+lXlgbOgC9pAwM1zs3jdLSVvlrZAw=
ARC-Authentication-Results: i=2; server2.sourceware.org
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=czV3nYgmOe+fLLgNWT2tjILoWAgMoeiFmjaAkcH6ZRqKOA1yasrxAEXRu3lsc1cY4uguhsWUd+L24YiVIRo77cxQFs/1YZgbuG4PGRkUlBbu4sEqqWaFwzBIOtPAUKd0pAD2I+Kh68dRSGIKRuHGRxmXV3kKnGFDxEVYx8PgbzN52PYQL/1FffZYpP2CKjzFwpA+jYk0ZMwyALfcB/UlzrAua5MB7Uxwn6QJJVJsnfAKrCx67KrSZRJ4UWd1NC1aiV+KkSsYS7gyltuJf9zs28yfF7uVFF/17i0owgh5BUzZ7//bJf7rXyDsuI9m9uxfHYjjF19yW0yE8+1CBVxelw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=bNgGtDo/WaRG5z0+vgMgTdamfwgze8+Uus4eBlxyR8Y=;
 b=et6UEIOVH0tvi0lZk3bXMvoIgBbCvp8NbxdwXZauZRJUayv+drtAMtziZbZF3HFi7ejcmKp2zQ8vEOD0l48uqjYkNrqJBpAH1wE1JaxOCuoWmTDTRcpY9wiH6Kk5dB5dof+l5BZql+pjlub8CGog2lKLVg5uw5AZBz7e2W7F/0mEnqO1EOAMgbfxapbAXeCYEkx/82M2v4kVBHxIo7RkWqBZ577ijrDGgwomDzEXHcjT6oSXmed9/X4Nu9ixngTVY+fyGy+10k8RRRAPRgYPA1FeHLHLIsmApe6+qdPY55nzwP6XeuEuENg8hKQnVNPiObhfXBnRATky4gHwQycIdg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
Received: from DS7PR12MB5765.namprd12.prod.outlook.com (2603:10b6:8:74::19) by
 SN7PR12MB7108.namprd12.prod.outlook.com (2603:10b6:806:2a3::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Mon, 1 Apr
 2024 07:28:58 +0000
Received: from DS7PR12MB5765.namprd12.prod.outlook.com
 ([fe80::a812:d545:ea04:4982]) by DS7PR12MB5765.namprd12.prod.outlook.com
 ([fe80::a812:d545:ea04:4982%5]) with mapi id 15.20.7409.042; Mon, 1 Apr 2024
 07:28:58 +0000
X-Gm-Message-State: AOJu0YzYnfOqZZNnBXwQM1CcY8hCfOhWdU7YcZ1yegjF2ChptnX3fuvq
	UKIVXuKLPS4/B1MiwQzARoCkNq/LBSQraW/jBbhASzlk1nbW5C6J1bBn3d1yMunIzVREBV6Qeky
	SpHpftSHeLLiG73hkhjCa/Je8F3Y=
X-Google-Smtp-Source: AGHT+IFfYkQgv/jyKWfzfPXFEggHpLDvLjF+tNqsJvOQHwwxOSNJ0sTSi45Yx3+0gtc3z+tZCrSKQ3LhbfMNasmCwtM=
X-Received: by 2002:a05:6122:201f:b0:4c7:98d3:db76 with SMTP id
 l31-20020a056122201f00b004c798d3db76mr5516949vkd.4.1711956534078; Mon, 01 Apr
 2024 00:28:54 -0700 (PDT)
References: <CACKH++ZCwhA9n9GfsWPmBQgsSrvfeOpLha0=UCpHzPDD8vQpNQ@mail.gmail.com>
In-Reply-To: <CACKH++ZCwhA9n9GfsWPmBQgsSrvfeOpLha0=UCpHzPDD8vQpNQ@mail.gmail.com>
From: Fangrui Song <i@maskray.me>
Date: Mon, 1 Apr 2024 00:28:43 -0700
X-Gmail-Original-Message-ID: <CAN30aBE=FUw_pX+RBXyhBkC7=P9DcpqBCmC=3w7+mxTHbm_i5A@mail.gmail.com>
Message-ID:
 <DS7PR12MB57652947D0B55DA8CB99F218CB3F2@DS7PR12MB5765.namprd12.prod.outlook.com>
Subject: Re: Remove dependency on libjansson
To: Rui Ueyama <rui314@gmail.com>
Cc: Binutils <binutils@sourceware.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-TMN: [MTa3HJl8WOsv7MjZqily94gyQZAH/YB4]
X-ClientProxiedBy: BN9PR03CA0428.namprd03.prod.outlook.com
 (2603:10b6:408:113::13) To DS7PR12MB5765.namprd12.prod.outlook.com
 (2603:10b6:8:74::19)
X-Microsoft-Original-Message-ID:
 <CAN30aBE=FUw_pX+RBXyhBkC7=P9DcpqBCmC=3w7+mxTHbm_i5A@mail.gmail.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS7PR12MB5765:EE_|SN7PR12MB7108:EE_
X-MS-Office365-Filtering-Correlation-Id: 78101e31-d946-4505-4e32-08dc521d636a
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	Errk4JzwhuXbzaXJmxtywAv2j04nYCIG8GbK3Wcm7Pof7sqa+M1epQxIaGjJOZBjz5vgGEmWOnxlWbrvGMiUy+qKdujgwEAuAn3VBW4PTL51/+6uYDG+NFaog58Y4ivGplkvfBwXwACzSO5udlpngFMyNoa1Og8IZoVCm9VSnMXLQXpBC7WxAsN0i3aUsFs7ts4TxSKhB+TvPrrKprpLZEnvBnq+A69U19T1S4oENKVxbs8Su6BwcTd+D9Cb/QJKZjl0mLBMkGpbNAINui7TqeVYkRGF8wrWNGk9AlmzWr1Vwt+EBRzoJppMjXOC4PSpJqVEahvYrPI3OFNLgLYHB8/em1hASvCaI3tWYij1v+vwOaSeul6FkJjVJ31w/egCZeIBZ33fYgJ2ZL/qfWIOju+/jtEg0ZaOrRbv4OUAQRmeugasRgowCH7Ox7O1vnQWAGQbTZtxVHCWmGv/5u++3LEtR3Ons0NmRxSGZU+Pl/UbiU5yk898gjk3HZVIcR7juceAndqNBOg36N4RACRPoGBFds7vDv9b26+YjNhhA9Xqk/LPF074e9z6T2mFku+uzdu0iTdhFrYDiCkIxLIG3cdt5NMQqREyVoaod3aAmKsTQW3MyrivLwnA+K1vNNc6/X3glNwhgn4jWer9begGB18GgoX+l9QILLWt5AyhcaE=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
	=?utf-8?B?QUFvSm1uZXhrVWpXQzJMenkvNzlwSzBzRGgwRFU1dXpYRWVLUGJTSjlhMGIr?=
 =?utf-8?B?NUtGMzl1cWxlQkFyQjVqWW1mL1htbDdlQ2JwYWVLZGFKYlpXOTk5UlpYSWlw?=
 =?utf-8?B?NDNCL1M1bEYvNmlqRlBqZFQ1MEFpUzFUZzBTNlNIUm5vVlVwQUpqMXF4ZjEr?=
 =?utf-8?B?SkhDc016MnZNOUFiRGFjeHpMQnEweUFhcHpweGNIRVNBbzBVRGFvWFU3R3Vv?=
 =?utf-8?B?YjROYlJpMWJVUDdwMnJQNGNxSlBEbnVwMlQzRjRCc2JzcWo3Q05LQ2Q0T1JM?=
 =?utf-8?B?aWo4eG95UlJPZm1lSGVod2gyYmFyc24vQUM2SjJ6MXQzclFqSkt5NklGb0Zu?=
 =?utf-8?B?VFhCenIxTmlLVUlRSmVYQjZWRzRBUWN4NXArY3AwRHJWaHBlc282aE41OUFW?=
 =?utf-8?B?a2lJeWd6RDZVQkF3aXgyWFpld1U4VnRyekNMa2N4S0FTMEdHOFFqWHJUK2hi?=
 =?utf-8?B?RTBxN0tyaGQxTVgrNGN5ck0rV01BeTdRLzd3UTN2djNXVFhVMmluOTQ3dVRU?=
 =?utf-8?B?YlJJYVI2Y2I2Q0VXcnRhMmM0Z3VFQWRpbHFzYlBVYWQvclJqNXAxdjJlckFU?=
 =?utf-8?B?eTZDQ3JXYVVmS08xR1RWb1d5a3JlcERzWCswdW0xZWx4cHRGN1p6MStFOUFJ?=
 =?utf-8?B?bWVxK2YwaXdHOTJmVDhmM0MxTEg4L0xDNzRjQmcrbXRnSlFwelIyaWlFNlJk?=
 =?utf-8?B?VEVRZkZNSVNXSGFtYlltdWRPTkJRdVNPWkJSTmk2Uy9hU0ZZOXJuY1N4VjhU?=
 =?utf-8?B?TzN0TCtDMnpZWmZBeG5Zb2J3ek02aXp6Z05aQ3N0cnhqV2pmNVAwcGFadUs4?=
 =?utf-8?B?VnFuSUJNem5veTZMWFVqdzhBb3hzRzhQbkVVUkJEVXZkaDhldkcxZExYQ05U?=
 =?utf-8?B?QXpBUWxEY2tIZ29EOGJDeEtqaFl3TmlVQldUdGhLSzZERVRPU1Izd2ZlZ0pm?=
 =?utf-8?B?MEoxZjJDT0VsUFBtVFg5NExwNzZBN0RBY3VlK29GQUdGVWtOOStsWEVXT0hk?=
 =?utf-8?B?WXNqY2E3TlhmeFZBblNZRFh3aFgyT0R0SkZMSDNNdVRzMnd4L0ZTRUY5dHp4?=
 =?utf-8?B?cjB0RzRrMU1WakV0V2JlbDJkMTlwN2lPSjFKZHdoeTQ2OEQ0bWNPWktZVVdy?=
 =?utf-8?B?UjBaTDRXbEtnUkxmdzFIOWJjYVhFU1NWb213clRzbklYeFhEamdhMUlqMUht?=
 =?utf-8?B?U01UTnJFcWR6b0RIVGpwY3U1cXBPTkVYMmJ3cGg4RVJjZHhnb3MxU2hQU2tS?=
 =?utf-8?B?TzZqRGJaZnBLOFZyZWdBcGZ2TG5ld252K3NKbjI5bDdrMVVWbUM1Qkk3MTFn?=
 =?utf-8?B?RXJXRXphWWduelZHaFQvbEVaOGl2cXE1am9HZXJWUndVTjNtY1NidGc1WFlj?=
 =?utf-8?B?Qml1STZaVzVyM242ZHFLUFQwblJoRFFzTWtmRTJ4Kzh2NC95N1NPMWdleGRY?=
 =?utf-8?B?ZVdrcm8yTVhMRTBSUktqRXpXaUl0OCtTaWhkVmlyMXI0MUhQaFE4c2V4WC9u?=
 =?utf-8?B?NFQvejFwajcxcEMrZGNIWU9xdU9hMkEzeTFFR3JKWTFjMUdoVC96dkY2OW1I?=
 =?utf-8?B?NzVaWkkwOEk1QkMwUDd6MDBGcm1JTzJMOUJQOG9UNGZZcHpQTXlRa2laQzY0?=
 =?utf-8?B?b2VVNVd0dzBzTndMRUordW9acnAzeGc9PQ==?=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-5183d.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 78101e31-d946-4505-4e32-08dc521d636a
X-MS-Exchange-CrossTenant-AuthSource: DS7PR12MB5765.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Apr 2024 07:28:58.5650
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB7108
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_INFOUSMEBIZ,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

On Sun, Mar 31, 2024 at 8:31=E2=80=AFPM Rui Ueyama <rui314@gmail.com> wrote=
:
>
> Hi,
>
> The recent xz incident demonstrated that supply chain attacks are a
> real threat, and dependence on third-party libraries can have
> significant consequences.
>
> In the wake of the incident, I propose we remove the dependency on
> libjansson from GNU ld.
>
> First of all, why does GNU ld depend on libjansson which is a JSON
> parsing library? GNU ld gained the `--package-metadata` option in May
> 2022 to embed a JSON string into a .note section for package
> management for Fedora and other Linux distributions. At the same time,
> the dependency on libjansson, a library for parsing JSON-format
> strings, was introduced to validate an argument for that option. If an
> argument is not a valid JSON string, ld reports an error. If the
> library is unavailable, or if `--disable-jansson` was passed to the
> configure script, the library will not be linked and the error check
> will be disabled. By default, the library will be linked if it exists.
>
> I opposed adding an extra dependency to GNU ld just for string
> verification purposes because it didn't seem worth adding extra
> dependency to the linker. LLVM lld and the mold linker also support
> the option, but they do not verify if the argument is a valid JSON
> string -- they simply treat it as an opaque string. If libjansson is
> unavailable, even GNU ld doesn't verify arguments. Therefore, the
> verification is not trustworthy, and the reader must be prepared for a
> malformed JSON string when reading a .note section. Moreover,
> verifying a string is straightforward without the feature; you can
> simply `echo` the string to pipe it to `jq` for verification before
> passing it to GNU ld.
>
> I just checked /usr/bin/ld on Ubuntu 24.04, which is set to be
> released this month, and the dependency on libjansson was indeed
> present.
>
> How much risk does it pose? Probably not much, as long as the library
> is maintained properly. However, the stakes are high; if someone takes
> control of the library and introduces malicious code, they could
> execute a Ken Thompson-style supply chain attack. Since GNU ld is used
> to build essentially everything, the attacker could in theory gain the
> power to not just contaminate a specific program such as openssh, but
> every executable in an official Linux distribution image. I think the
> risk is not worth taking. I believe we just should remove the string
> verification code and the dependency on the library from GNU ld.
>
> Rui Ueyama

Thanks for bringing this up again. I support removing the json dependency.

I lightly expressed my concern
https://sourceware.org/pipermail/binutils/2022-May/120846.html and
there might be others unsure about the dependency as well.