From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=IeO5=LI=tugraz.at=uecker@sourceware.org>
Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202])
	by sourceware.org (Postfix) with ESMTPS id 3DB09384770C;
	Wed,  3 Apr 2024 06:26:54 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3DB09384770C
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tugraz.at
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3DB09384770C
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=129.27.2.202
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712125616; cv=none;
	b=cA5YpUOPGpgpHgdXhSORaVWiHsGlHVhTRkEqJdjJ8iTTIVqPtljbWuJNX7Q+yWNRswKi3iWHj19kA7HOMNWMspFUFeX3kKScRaXNBhEP6xCpU7hpAHDsoBkwo+7t8bTD0Jz01SipYKLCpLR+O81QTzXXAETCCQ4nB3hB5m2vedk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1712125616; c=relaxed/simple;
	bh=DMZaET7PimqgNf+Vx2Nt6XvpfWlzbFvVVa38ktB77MQ=;
	h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=URbCD/gyVXxzrU3yZ6JQoZuYdlcQxJTDckTmcyjZEs69YUPUTM0lQw9OtdImXW7G2VONsQ6W7V7vALMpaHpinJePs+yv53fwyLqJ67L1UX5fd15NRL+U4wvlEY+00O1x9utTVs0vDPH1Fk44VD1G3SiYMcr1Eu7UT+8RlP7Wxb0=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from [192.168.0.221] (84-115-223-216.cable.dynamic.surfer.at [84.115.223.216])
	by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4V8ZXS62h5z1LM0T;
	Wed,  3 Apr 2024 08:26:48 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4V8ZXS62h5z1LM0T
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
	s=mailrelay; t=1712125611;
	bh=J2ZVN09yD+5d/+FjoBypO6i6koLVzCY0j/q+AiVil+w=;
	h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
	b=Fpt1kdJDzUtTqLvkOZ3eZ4ylnEMRRvGqOfznxk0+wQMGl10FctgowsNrOpGXTD3gX
	 ItqhSEF+/ysuOG2xV/F2KqHX3RjQa2SBFYDe0fMZ6VVqjtcBuy765jpx/LdGo4ObWm
	 d8hCYfA+gJdCBEBAEjvHWvl8vnfOkEUVfqR8Yeio=
Message-ID: <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
From: Martin Uecker <uecker@tugraz.at>
To: Ian Lance Taylor <iant@golang.org>, Paul Koning <paulkoning@comcast.net>
Cc: Paul Eggert <eggert@cs.ucla.edu>, Sandra Loosemore
 <sloosemore@baylibre.com>,  Mark Wielaard <mark@klomp.org>,
 overseers@sourceware.org, gcc@gcc.gnu.org,  binutils@sourceware.org,
 gdb@sourceware.org, libc-alpha@sourceware.org
Date: Wed, 03 Apr 2024 08:26:47 +0200
In-Reply-To: <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
References: <20240329203909.GS9427@gnu.wildebeest.org>
	 <20240401150617.GF19478@gnu.wildebeest.org>
	 <fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com>
	 <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
	 <FC0B14DF-0B05-4896-B70F-7D994961D5C2@comcast.net>
	 <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
MIME-Version: 1.0
X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

Am Dienstag, dem 02.04.2024 um 13:28 -0700 schrieb Ian Lance Taylor via Gcc=
:
> > On Tue, Apr 2, 2024 at 1:21=E2=80=AFPM Paul Koning via Gcc <gcc@gcc.gnu=
.org> wrote:
> > > >=20
> > > > Would it help to require (rather than just recommend) "don't use ro=
ot except for the actual 'install' step" ?
> >=20
> > Seems reasonable, but note that it wouldn't make any difference to
> > this attack.  The liblzma library was modified to corrupt the sshd
> > binary, when sshd was linked against liblzma.  The actual attack
> > occurred via a connection to a corrupt sshd.  If sshd was running as
> > root, as is normal, the attacker had root access to the machine.  None
> > of the attacking steps had anything to do with having root access
> > while building or installing the program.

There does not seem a single good solution against something like this.

My take a way is that software needs to become less complex. Do=C2=A0
we really still need complex build systems such as autoconf?
Are there still so many different configurations with subtle differences=C2=
=A0
that every single feature needs to be tested individually by
running code at build time?

Martin