From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) by sourceware.org (Postfix) with ESMTPS id 9C53438754A1 for ; Tue, 9 Apr 2024 21:54:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9C53438754A1 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9C53438754A1 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::234 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712699662; cv=none; b=xKgaH0G6hH3oDN5Hi3GbE31GiNkzRFsZLh8BbDwK+YDWkVpGbU06paLvDgt3Y8SNW6Ax7yIKP5paHvFE6bSbI141By0ZqlnojS5KOSSDKC1RfOZdWD350hIODCkVxiwE40n+0psRWe8LuVk4JTr/vw1jPAP/YWFXp4FC0W6R+J8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712699662; c=relaxed/simple; bh=sYxrz5uDQKd9QZnBu0fRtV340B8eTcbGkBDWalsrh3M=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=GvVXt7sFMe60A46SAoQK6tpeU1k3KUPHsLzpt+3EWmFk4I9gEdKAO7fo4lefVLltgIt8w22Sd1XU3kwodey0C9Y8oCiusjTjce5OTS6pOLRasXw4a9QCHrTlGIB1/fsZopLqJyX3BijqPBmkOnSiWqriPSE+MOF+VScrYLjI2cc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oi1-x234.google.com with SMTP id 5614622812f47-3c5ebfd8fe9so634305b6e.1 for ; Tue, 09 Apr 2024 14:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712699659; x=1713304459; darn=gcc.gnu.org; h=mime-version:user-agent:references:in-reply-to:date:cc:to:from :subject:message-id:from:to:cc:subject:date:message-id:reply-to; bh=sYxrz5uDQKd9QZnBu0fRtV340B8eTcbGkBDWalsrh3M=; b=F4I4oPWAQYTg4R/5T+RPA3/f5fYUd3CTRV9eeF6Yl9Vv2t/qXwe3JUOFp0YZP/OThh SzQz/6nyzwzvORClVnY8uXZQ6SNSkuFW8Ag4RAE+swEfNjtUuPJk28vZoucCybaTFbtn 5hKiJWAk7Z38AaZm9RRI+ukdA3bOaJNkgB5lAToEC7wlLGvQKqEWrGaZpp+sczurPDRr Kmhb+M2MeoQ96nlwjvqXFXGHRv3rLctZSgtFB3BNYxn2RRuROAvoniOujiLi3QFrOxVQ gK5gV7vx8tbAxpUBH61Nn0YNgjO5dvi5RkTbNVCC3U3rogbbO8IDL78gxPqN1scCDEc9 OSzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712699659; x=1713304459; h=mime-version:user-agent:references:in-reply-to:date:cc:to:from :subject:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sYxrz5uDQKd9QZnBu0fRtV340B8eTcbGkBDWalsrh3M=; b=HOuVg12DecdsWhLGMuRpd+pXsxYr9TPfok+3mTTcM6Hd5+YgUAI0E3t9VeHLJ+JrLX vLH3kmEBU0eZXw5ztuUWQEgvcVnI58Z52qDqYfqOgmb9xmHbeLg+waa92BmNFhWkS3sT zND7F2tim8h9vsnOpP/r85IlwJ4bo2MDcp5bY7v1zdhszCSSSRBEHEo/obRAFPQlaxFq wpk1D65XZtMVmXHjnHAh38cvvaLP10oVV9JXokKS8EjzU5W7ooTlXL1ooZTUvD+P1QO7 Ojn48zilTqiAGKmTwy/PAMu7ceKL42CO7V2v2dbWEkNbrsSybIznAFSSkI5JbeqcqfwA kEew== X-Forwarded-Encrypted: i=1; AJvYcCW5LhBwHzc1NhZ9aGM4bXTipjAWDFG9zrB6jvI2YeMPfHhUrdW239rYq2gAsSUuZ0qVhVwd9F0t+84Ur/18QQU= X-Gm-Message-State: AOJu0Yw5dlD1l9RrTqXclq0ZLlDassSCDQzyW7IsFJMR5ztC2C7nchhG LcgsmN4vSLm75mz+JXSlBOF8sf3FOkvt3Jc1JxKAmIwwmSWGpD7W X-Google-Smtp-Source: AGHT+IGBATv3oUduWIMzQX05oMnWhVUnqQXLTw59/HE4P1Toca069UCOnFnm7PTfIT5Haj9IwtFmYA== X-Received: by 2002:a05:6808:1a86:b0:3c5:fe35:4155 with SMTP id bm6-20020a0568081a8600b003c5fe354155mr707097oib.6.1712699658731; Tue, 09 Apr 2024 14:54:18 -0700 (PDT) Received: from [10.41.6.67] ([24.75.238.76]) by smtp.gmail.com with ESMTPSA id a7-20020aca1a07000000b003c5e679337esm1211568oia.47.2024.04.09.14.54.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Apr 2024 14:54:18 -0700 (PDT) Message-ID: <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com> Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Jonathon Anderson To: Paul Koning Cc: Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Date: Tue, 09 Apr 2024 14:54:16 -0700 In-Reply-To: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> Content-Type: multipart/alternative; boundary="=-m1sg6cnZU8pqrCIsX7JT" User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_SBL_A autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --=-m1sg6cnZU8pqrCIsX7JT Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2024-04-09 at 16:11 -0400, Paul Koning wrote: > > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc <[gcc@gcc.gnu.org](= mailto:gcc@gcc.gnu.org)> wrote: > > > CMake has its own sandbox and rules and escapes (granted, much more of > > them). But regardless, the injection code would be committed to the > > repository (point 2) and would not hold up to a source directory mounted > > read-only (point 3). >=20 > Why would the injection code necessarily be committed to the repository?= =C2=A0 It wasn't in the xz attack -- one hole in the procedures is that the= kits didn't match the repository and no checks caught this.=C2=A0 I don't = see how a different build system would cure that issue.=C2=A0 Instead, ther= e needs to be some sort of audit that verifies there aren't rogue or modifi= ed elements in the kit. In Autotools, `make dist` produces a tarball that contains many files not p= resent in the source respoitory, it includes build system core files and th= is fact was used for the xz attack. In contrast, for newer build systems th= e "release tarball" is purely a snapshot of the source repository: there is= no `cmake dist`, and `meson dist` is essentially `git archive` ([docs](htt= ps://mesonbuild.com/Creating-releases.html)). Thus for the injection code t= o be present in the release tarball, it needs to have first been checked in= to the repository. In fact, packagers don't *need* to use the tarballs, they can (and should) = use the Git history from the source repository itself. In Debian this is on= e workflow implemented by the popular git-buildpackage ([docs](https://honk= .sigxcpu.org/projects/git-buildpackage/manual-html/gbp.import.upstream-git.= html)). The third-party package manager [Spack](https://spack.readthedocs.i= o/en/latest/packaging_guide.html#git) clones directly from the source repos= itory. Others may have support for this as well, this isn't a novel idea. -Jonathon --=-m1sg6cnZU8pqrCIsX7JT--