From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 152193858D28 for ; Tue, 2 Apr 2024 22:09:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 152193858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 152193858D28 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712095748; cv=none; b=pbti99YTaqpnbWccn4iey2y8vD9wRRVUZbAERXWoKD4ovyOixfd1rqzcdn6bGDbk/5lAShxmwolnBEcFLwQXtTs3T89KKLtjJYpaIGoJRE4b2AhTov2UlvL2jUAnGrsJa9RlzMdyKXE7TRkQmSRUyBGrE5nlElXX0dSUu86KfMk= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712095748; c=relaxed/simple; bh=RfeCqiOAaiA8TdibRG+LIS/0KY84/30VutYg8pFSJHQ=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=AYamdoRWnvi1G7pUQkRIu5AxMqqAjNapDBKJDrdv6qjfTyuKkBd/EE7T08j8Y5WJg4Q2oGkF2CRa4BMKuVsJxs90u4lc+vHdwNShhoAWcv/LerZGAVphgWlJCMz6V+KZy97/oLwnVOF3aKkNpMJV8PLMQ2Mbn2mn+xrS1jHX0FU= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712095745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Lk3gMGTtz9Rh5cLi8jEixYwmF62L1bdQbqFKGKs7OIA=; b=fDjEEEC7g3WDIx8QAJyhN2CbF6gd7EiXUl6a0yUPmT9wMr1tIv8I+yi5gn9WMLzsg52X6s C9bIrTgNCKZ4H1frqSZfLpguM+hl89rk7/O0ewAbRZgDGA6E4nN5WjOXf9O4tDzU6F4BMt EreYteSB8JBR25rtETaF0/DKqeR4qzc= Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-456-IPlyO7lbN2qLdLPFRP2Geg-1; Tue, 02 Apr 2024 18:09:04 -0400 X-MC-Unique: IPlyO7lbN2qLdLPFRP2Geg-1 Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-6963cd45fddso7007536d6.1 for ; Tue, 02 Apr 2024 15:09:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712095744; x=1712700544; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Lk3gMGTtz9Rh5cLi8jEixYwmF62L1bdQbqFKGKs7OIA=; b=VSzBoo/Z3BntIXxDJoqm8DofByPU2uv1FYxgCowGhq11QUXiLGUzxkGORAX9yRQ1sW OvX+AQv9r7KJYy5IieloZsT5dbLSSbDMCe2PCMjTn3lplwJcMn1Cjzx9xBUGP35EGpAD +s4SIYK7Lu/1W7MX47JZzhZSs4XegT40Cd1HEavbCvn3u4IcBTYamxkMIdRDD+869S5Y gArk6cywiWPVRebdEVVKwTMWEtWkZVre0PqExIvPACLy81CycKfAcftNQKQqNehn3RVa zCEnndtcrZWx6icPjMLI9CoLJAIoiaoDg22+VoSGC/LUeWfo5BtoIw+suw+/DbTm4EpD d3UQ== X-Forwarded-Encrypted: i=1; AJvYcCXO83fboxbcZRIBcV006fy4VjHDwbv5T9D5isVRv04cqi4L8VHeFFQSD2A+3Wrx/Z9g0GnKUWAWNmf2ckX3lQ7RVAz44cKuB1hM X-Gm-Message-State: AOJu0Yy+VuBefvNRjHPk776RKTeYDc7/pi0Lu6Z+MI3YqXKQpZsI2ccP 1LDc2eR0yVrAFohYwSY3m0jqrIHAJE5Lt8YtHh+32rtSPnP0UPNWR9or6WC+tdWUxIC/13AjxAT XUpvowKF6noFssi4mFvd/o2NAme6pUqfjQ1/8nCHtM/AbRK20ocVldqPz5w== X-Received: by 2002:a05:6214:5595:b0:696:82b5:70f4 with SMTP id mi21-20020a056214559500b0069682b570f4mr1550801qvb.23.1712095743860; Tue, 02 Apr 2024 15:09:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFZgQ3LRE8PX3gSOjU1f0ANS3+5lF4Rw0mDyYzY3ar7H7X8SI88CBBVoFJa5vpKXa/YzvgwWw== X-Received: by 2002:a05:6214:5595:b0:696:82b5:70f4 with SMTP id mi21-20020a056214559500b0069682b570f4mr1550768qvb.23.1712095743467; Tue, 02 Apr 2024 15:09:03 -0700 (PDT) Received: from ?IPV6:2804:14d:8084:92c5::1001? ([2804:14d:8084:92c5::1001]) by smtp.gmail.com with ESMTPSA id me6-20020a0562145d0600b0069698528727sm5897808qvb.90.2024.04.02.15.09.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Apr 2024 15:09:03 -0700 (PDT) Message-ID: <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> Date: Tue, 2 Apr 2024 19:08:59 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Sandra Loosemore , Mark Wielaard , overseers@sourceware.org Cc: gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> From: Guinevere Larsen In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 4/2/24 16:54, Sandra Loosemore wrote: > On 4/1/24 09:06, Mark Wielaard wrote: >> A big thanks to everybody working this long Easter weekend who helped >> analyze the xz-backdoor and making sure the impact on Sourceware and >> the hosted projects was minimal. >> >> This email isn't about the xz-backdoor itself. Do see Sam James FAQ >> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 >> (Sorry for the github link, but this one does seem viewable without >> proprietary javascript) >> >> We should discuss what we have been doing and should do more to >> mitigate and prevent the next xz-backdoor. There are a couple of >> Sourceware services that can help with that. >> >> TLDR; >> - Replicatable isolated container/VMs are nice, we want more. >> - autoregen buildbots, it should be transparent (and automated) how to >>    regenerate build/source files. >> - Automate (snapshot) releases tarballs. >> - Reproducible releases (from git). >> >> [snip] > > While I appreciate the effort to harden the Sourceware infrastructure > against malicious attacks and want to join in on thanking everyone who > helped analyze this issue, to me it seems like the much bigger problem > is that XZ had a maintainer who appears to have acted in bad faith.  > Are the development processes used by the GNU toolchain components > robust enough to cope with deliberate sabotage of the code base?  Do > we have enough eyes available to ensure that every commit, even those > by designated maintainers, is vetted by someone else?  Do we to harden > our process, too, to require all patches to be signed off by someone > else before committing? > > -Sandra > > What likely happened for the maintainer who acted in bad faith was that they entered the project with bad faith intent from the start - seeing as they were only involved with the project for 2 years, and there was much social pressure from fake email accounts for the single maintainer of XZ to accept help. While we would obviously like to have more area maintainers and possibly global maintainers to help spread the load, I don't think any of the projects listed here are all that susceptible to the same type of social engineering. For one, getting the same type of blanket approval would be a much more involved process because we already have a reasonable amount of people with those privileges, no one is dealing with burnout and sassy customers saying we aren't doing enough. Beyond that, we (GDB) are already experimenting with approved-by, and I think glibc was doing the same. That guarantees at least a second set of eyes that analyzed and agreed with the patch, I don't think signed-off would add more than that tag (even if security was not the reason why we implemented them). -- Cheers, Guinevere Larsen She/Her/Hers