From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=WQh1=LP=gmail.com=anderson.jonathonm@sourceware.org>
Received: from mail-vk1-xa34.google.com (mail-vk1-xa34.google.com [IPv6:2607:f8b0:4864:20::a34])
	by sourceware.org (Postfix) with ESMTPS id 160C83871025
	for <gcc@gcc.gnu.org>; Wed, 10 Apr 2024 18:47:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 160C83871025
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 160C83871025
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::a34
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712774883; cv=none;
	b=h+4CX19Xn2Tw+xQZOr+8SGR3ODuyXdn72zkVXdPH8hFiaxtcwmmj2RVQRV4Zf7zQgKitNaJOPfhUWqpP0ysWOJlgFyA+AChCF5QNMjR+otCaxJ+H2ddJ9gLEfgkE8I+zMPSfhxduE5McfRWSlJSu9UQTP47rwdI3VOfOLf+GVyQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1712774883; c=relaxed/simple;
	bh=qAyZ7AsL7qtwcAQoTFqH1wrJtT58A/wvUUWYdB9RGuk=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=kQqMVL9IaG440Dx6CI5eBiZ2Z1Vy1P/UmusYXZt3LnuLuXK/c456oCKbghQF3Rh8weWyei4uo5gWiqXvFuNUcXDqZ2nXFjD1fn1b00tNhXW7eup7eI3eHT+lRe3NhegzJAqfoZO8zR9oggcCaEdcYE+eLAYiDU/asMVdhWqryaI=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-vk1-xa34.google.com with SMTP id 71dfb90a1353d-4daa5d0afb5so2011703e0c.0
        for <gcc@gcc.gnu.org>; Wed, 10 Apr 2024 11:47:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712774870; x=1713379670; darn=gcc.gnu.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=8JTA1ryzK0+I00+m6LayfdgCue/uytdy0NMVrGQDV80=;
        b=muO1p+nVb15UccQlZMQ2QA4+p0rO/nLBsKQWyGHCBSTTzVzugwDW4wGryQnI2cuHGk
         RIlTESgIKFGeXc32WuZq7c6ANDOTRBfK0+rAzBf25ExZhiVlU+jvdAtbeO+wge1D0E9a
         KxSnrOrvi7fj+YwxUgVyqoz3KuUp/DWwBxSbZh2etVMF3qLD1A5I+YxSSkBgmSwu/Vi/
         7sxhNYqL16oOgRZa7UnmJB9pQ6cXm+8Hc5NYA2ggFviKgN0f6E0s9438qLII2jU6YEVJ
         iFE6J7coGY2G91izIdJpBcOI3WaTct5Sps1wzTAYrlqU+0H1A0hIyCwyfNIujyO4Qz+L
         zT+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712774870; x=1713379670;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8JTA1ryzK0+I00+m6LayfdgCue/uytdy0NMVrGQDV80=;
        b=GnExVZJxsxNsMlg+dWdWBoD1UPuv0q4Tc5Fg/tM1GZNrBahR1Z8p/fWm+3jhKDNwdx
         87Tr9lMccKbxGWuUIg424YEkK8frh8WFM+vBNRYMVjDzS2S9fIj/2RGmE2eqm8ZvE8MM
         qVQQkszmqrTpvR9TpLXkokm7yxvCqUEgs4ZS4LGvlYQYpMCWzv6xXCaIA22O64g5YK5e
         aNhF/2otXhe5Sqk3JcOaqHrdYLdyreRNhcnqgfd/9/nt6ff08/hA/G4qEOIUlq9Crn9Y
         180TYdDeZQ6BgkHz9A4vfd6h0xc4DKctMswWIfRGfwBjjNl/n5h/zqvB8S/kjX2hpFAc
         XjMg==
X-Forwarded-Encrypted: i=1; AJvYcCUmjl7Q+BmZolLuwuFw6CwUljp5p3p+5wMm7nkqbnW9JTDbgLXejNI5HFi5PlOfsPi6bPTWABQM512WdzEYz78=
X-Gm-Message-State: AOJu0YylCV7Y+V7xJBQFjyxIgXOiTtPmmYKa+AklySoXyQW6NYukCwT3
	LEzHxm0/0y7smHIw4VnBbrVax1hdKY+QyvWca83BpuxpT+EASEm5vG520ZT8I/dW87El86vPj/5
	ENvITWBZisYuxfff2eJhy5uO4Nic=
X-Google-Smtp-Source: AGHT+IGV0M7EebTJTgucTZNY6XGCrhBA2OqhYH2TOvNj+lobdlpvb68woOEmsJZmJ3UYm5IwIHgkb8nlT5OeLvL7WXk=
X-Received: by 2002:a05:6122:4582:b0:4da:aabe:6f6c with SMTP id
 de2-20020a056122458200b004daaabe6f6cmr4028839vkb.7.1712774869976; Wed, 10 Apr
 2024 11:47:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
 <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
 <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
 <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com>
 <87h6gazafa.fsf@igel.home> <CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com>
 <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com>
 <ZhadlPZZtCq9IDZv@elastic.org>
In-Reply-To: <ZhadlPZZtCq9IDZv@elastic.org>
From: Jonathon Anderson <anderson.jonathonm@gmail.com>
Date: Wed, 10 Apr 2024 11:47:37 -0700
Message-ID: <CAO_N0o3_zpW1AnzhrXJCsvmmji7cj2pab2sPN70Ha1iB7NbhrA@mail.gmail.com>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
To: "Frank Ch. Eigler" <fche@elastic.org>
Cc: Overseers mailing list <overseers@sourceware.org>, Paul Koning <paulkoning@comcast.net>, 
	Andreas Schwab <schwab@linux-m68k.org>, Michael Matz <matz@suse.de>, Martin Uecker <uecker@tugraz.at>, 
	Ian Lance Taylor <iant@golang.org>, Paul Eggert <eggert@cs.ucla.edu>, 
	Sandra Loosemore <sloosemore@baylibre.com>, Mark Wielaard <mark@klomp.org>, gcc@gcc.gnu.org, 
	binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org
Content-Type: multipart/alternative; boundary="000000000000b490c00615c27963"
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

--000000000000b490c00615c27963
Content-Type: text/plain; charset="UTF-8"

On Wed, Apr 10, 2024, 07:09 Frank Ch. Eigler <fche@elastic.org> wrote:

> Hi -
>
> > In Autotools, `make dist` produces a tarball that contains many
> > files not present in the source respoitory, it includes build system
> > core files and this fact was used for the xz attack. In contrast,
> > for newer build systems the "release tarball" is purely a snapshot
> > of the source repository: there is no `cmake dist`, and `meson dist`
> > is essentially `git archive` [...]
>
> For what it's worth, not every auto* using project uses "make dist" to
> build their release tarballs.  If they can get over the matter of
> including auto*-generated scripts being located in the source repo,
> then indeed a "git archive" is sufficient.


This is very true, however a few words of caution: IME this is a
maintainability nightmare. Fixing patches that forgot to regenerate,
regenerating on rebase, confirming everything is up-to-date before merge,
etc etc. It can be handled, I have, but it was painful and
time-consuming.The hardest part was ensuring everyone was actually running
the "right" version of Auto*. (
Did you know Debian ships a different version of the *.m4? That caused more
than a few hours lost to confusion:
https://sources.debian.org/src/autoconf/2.72-2/debian/patches/add-runstatedir.patch
)

To make matters worse, this behavior adds a lot of near-duplicate code and
large unreadable changes to patches. For my team that meant we didn't often
read the generated parts of patches with build system changes, and
definitely not close enough to detect any malicious injections. Which
should make everyone here squeamish given the recent xz attack.

Thanks,
-Jonathon

>

--000000000000b490c00615c27963--