From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) by sourceware.org (Postfix) with ESMTPS id F19D83858CDA for ; Tue, 2 Apr 2024 19:54:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org F19D83858CDA Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=baylibre.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=baylibre.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org F19D83858CDA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::133 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712087664; cv=none; b=oYH8NgkxtQvfwIwxJ2bBArnjQitv+8YJoJp7FSDMWsnERgIAgFTQhiIXnMoN1ebqeBXeupYXXwCR6fcsVNHI6IIbdCRV4AcKteV+X/UYYvEhkuS+M+xtsqO99KEJytCjo88cVsq/2gQjtb0WiBfaYLuM0C7EG14yMaTWYD3b31o= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712087664; c=relaxed/simple; bh=6MWpTDBigVBAh1h05Qc4novC2kDrxfShRa4I994fQiQ=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=eOEzD544cdQ3SHe9tnFED6hSVR0AcHMDQo9xUNBEjGtHVVjfA3/KqJKQzLPhtYKT43IR7SX7jx7bDhhPy3y9GUxEoxCkyO1srNxAoya1fkl9fB4chKcjVCuYJyMa/iaMu/QiFfd7OAyotSdENuoh0sjPZxkAbLx66/2pfk+/MpI= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-il1-x133.google.com with SMTP id e9e14a558f8ab-3688b72d08cso19865715ab.0 for ; Tue, 02 Apr 2024 12:54:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20230601.gappssmtp.com; s=20230601; t=1712087661; x=1712692461; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=qhOmu9p6sAUifD+xpy2GoftmmRONvE/8Gm1Z3/h4gMg=; b=KH0b9FDGmsHUTVVbbDjc660BIdQ9io938rJk9St167d737z0Zkho7N+8zzsjQePPhS LpbfeXm/eV/prE3Z8kv17Z+9WgeGm3QvTymbZUeZWL2nXBDUF0KC6CH5BYINRjnr2bme Kda8zEellq8vYDjHTVWtGKQsbMAbUogn+ucnblKFVHamagrKWo2tl+YqPhB7gzzI8SUX 2OcF2AiGKBlvTgfPtG7gw37o0HP1QB3uCMXHzNZcNRFVeZ8j9JDIpGWz6XbpIAmH9EP4 UdBDQEYawRgiqageuxZJvNNEcXzWtUpJGDeh78qYUtFiiSw6vzW1FGHdf0XmQKj4lGw9 8gdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712087661; x=1712692461; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qhOmu9p6sAUifD+xpy2GoftmmRONvE/8Gm1Z3/h4gMg=; b=Z84Qxn+mdMmbvh6rDPFkbrtbmAcqsYBNb0ifHQOTn48YsLTTtjxJ8PLYRhL03fS9iP Ojxd7Ad+d3il51Dk8smiAnG2U7kryiYuInTA+qbdP3g1ol4hWxgjZxIKojvRr7vWMHwj Hu1kqiWh8h19Dg9GgH8o5hub/ovAECQO1ofY4tON3fZGFS3w84XxYB1/sB7Gg3JKh+BY 9kE6jY0iFka1CTFp96bOf9YwbSphEdWqOhVx3y1nnwc7vHjfY+Q0blujPOyzbJN8IJ38 hqo9K27leswU4hoOix2NNUwO9qMI8Ss3zlaeIlysxhQ6+FJOo67m8X2zOSL8PD2vSzDL gEnw== X-Forwarded-Encrypted: i=1; AJvYcCW3O26fPdcYaugx+SelMO0zr9Evnl03MuF3l3N46CLECehILWF35pk4NKr2iaaMZvndNJMvIYdrnelzuXwrHhWoc8gMtg3uQg== X-Gm-Message-State: AOJu0YzfwW6kKP97a/3KSAZsza0LVNRikbaQYFYvsHxcVvwVcwEC5TBZ vyQkh69oT+Q7izqmMiOz5AudMjlFKIN1dVNC58Tj/Hq+bmpR4l5VqDSjSVlY13CglhiL3ql7iaq u X-Google-Smtp-Source: AGHT+IGmfmVdD5hd1BpBKYtIr3OqwVxmKD1lviUARUU7AibHqDpORRUTrRnUYC/FFFdVlIQX6WJ1DQ== X-Received: by 2002:a92:c26a:0:b0:368:a2cc:1203 with SMTP id h10-20020a92c26a000000b00368a2cc1203mr19121981ild.12.1712087661152; Tue, 02 Apr 2024 12:54:21 -0700 (PDT) Received: from ?IPV6:2601:281:d901:5620:bf41:76d9:1cea:8ac1? ([2601:281:d901:5620:bf41:76d9:1cea:8ac1]) by smtp.gmail.com with ESMTPSA id m16-20020a924b10000000b00369deed83f2sm277031ilg.78.2024.04.02.12.54.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Apr 2024 12:54:20 -0700 (PDT) Message-ID: Date: Tue, 2 Apr 2024 13:54:19 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Mark Wielaard , overseers@sourceware.org Cc: gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> Content-Language: en-US From: Sandra Loosemore In-Reply-To: <20240401150617.GF19478@gnu.wildebeest.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 4/1/24 09:06, Mark Wielaard wrote: > A big thanks to everybody working this long Easter weekend who helped > analyze the xz-backdoor and making sure the impact on Sourceware and > the hosted projects was minimal. > > This email isn't about the xz-backdoor itself. Do see Sam James FAQ > https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 > (Sorry for the github link, but this one does seem viewable without > proprietary javascript) > > We should discuss what we have been doing and should do more to > mitigate and prevent the next xz-backdoor. There are a couple of > Sourceware services that can help with that. > > TLDR; > - Replicatable isolated container/VMs are nice, we want more. > - autoregen buildbots, it should be transparent (and automated) how to > regenerate build/source files. > - Automate (snapshot) releases tarballs. > - Reproducible releases (from git). > > [snip] While I appreciate the effort to harden the Sourceware infrastructure against malicious attacks and want to join in on thanking everyone who helped analyze this issue, to me it seems like the much bigger problem is that XZ had a maintainer who appears to have acted in bad faith. Are the development processes used by the GNU toolchain components robust enough to cope with deliberate sabotage of the code base? Do we have enough eyes available to ensure that every commit, even those by designated maintainers, is vetted by someone else? Do we to harden our process, too, to require all patches to be signed off by someone else before committing? -Sandra