From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=RHDe=LO=cs.ucla.edu=eggert@sourceware.org>
Received: from mail.cs.ucla.edu (mail.cs.ucla.edu [131.179.128.66])
	by sourceware.org (Postfix) with ESMTPS id 7469E38754A1;
	Tue,  9 Apr 2024 22:15:23 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7469E38754A1
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=cs.ucla.edu
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=cs.ucla.edu
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7469E38754A1
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=131.179.128.66
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712700925; cv=none;
	b=DrLdRkFGZYERrrNq/rayfSyndhlA4aOXkG3NF7li0ZxaFcYDfu0sSG9+itg1yeX2S7Ffqbmu1Qes6blZWtw18pQN6bs/ditgtq742bKSBGVbJful7CHPym9UmQ1drR2nKqYfG/Pg4/HxAn8BB/Nsi4IWxiUgd5Znaun2PqDHjKs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1712700925; c=relaxed/simple;
	bh=bK5Se3jaLxZSzdM6dzuxokWpLBAj8d3+xgkOBuUn4P8=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=MuYNUHCXkAnlY1STvc5qFZKdAjuRbCNq4ohnR1jFrt8dr3y64+VH911iVSxZgNdDULDvfkgn1hAG1W73YUXd5RnUcFJ9ZhQPbXMXRHNtEOgnsihkNzF0Q9rFVwYzmTijoXMxquy60XzM6X7UyjyeeueGqArQyUgi9Jyt5qoEukc=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from localhost (localhost [127.0.0.1])
	by mail.cs.ucla.edu (Postfix) with ESMTP id C5A4A3C00F4E2;
	Tue,  9 Apr 2024 15:15:22 -0700 (PDT)
Received: from mail.cs.ucla.edu ([127.0.0.1])
 by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP
 id NE2Psk5nABWu; Tue,  9 Apr 2024 15:15:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.cs.ucla.edu (Postfix) with ESMTP id 6ECD23C00F4E3;
	Tue,  9 Apr 2024 15:15:22 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 6ECD23C00F4E3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu;
	s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1712700922;
	bh=sxXaWnyOJPtmCnOyI9RJKzfaNX2KrJ2fIEX3qERbiuw=;
	h=Message-ID:Date:MIME-Version:To:From;
	b=Pb1cMY9yyJQs+NYllfPB+NmyxG/Qdur1wPPecs7YF7AyjhxZ2DIVUUW8u3PgGgtPq
	 pTyX1kgZ/hONmTm4alhlAgVeJMha+Lx8O94Oh17WNbHCcZj7XvDzCUTPOVyJynCJqU
	 LD1BqGca4ntfJIvLbBNpf1gTIyimoNKa+FrJDyEMuMLG15PSgtdbeqwvUx1vj06u9t
	 jLb0bslyRagw+cRnOzIcG3a98ey0QX6Qz7lM9qbRgqbL0r0kEdp6mlCbzuHKIFpVbs
	 lPVgDMpsAKAmtYxA2gFunRcD3TZqvcsVwmQHeGgGcTNZq7ItXKX/Ooy99mEyhqYuWX
	 UpV/cM2MDI7rg==
X-Virus-Scanned: amavis at mail.cs.ucla.edu
Received: from mail.cs.ucla.edu ([127.0.0.1])
 by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP
 id i3P9lfNrztGU; Tue,  9 Apr 2024 15:15:22 -0700 (PDT)
Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200])
	by mail.cs.ucla.edu (Postfix) with ESMTPSA id 33DA03C00F4E2;
	Tue,  9 Apr 2024 15:15:22 -0700 (PDT)
Message-ID: <79d33b2f-10fe-43a9-8260-878b78bb5ed6@cs.ucla.edu>
Date: Tue, 9 Apr 2024 15:15:21 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
To: Sam James <sam@gentoo.org>
Cc: noloader@gmail.com, Paul Koning <paulkoning@comcast.net>,
 Jonathon Anderson <anderson.jonathonm@gmail.com>,
 Andreas Schwab <schwab@linux-m68k.org>, Michael Matz <matz@suse.de>,
 Martin Uecker <uecker@tugraz.at>, Ian Lance Taylor <iant@golang.org>,
 Sandra Loosemore <sloosemore@baylibre.com>, Mark Wielaard <mark@klomp.org>,
 overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org,
 gdb@sourceware.org, libc-alpha@sourceware.org
References: <20240329203909.GS9427@gnu.wildebeest.org>
 <20240401150617.GF19478@gnu.wildebeest.org>
 <fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com>
 <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
 <FC0B14DF-0B05-4896-B70F-7D994961D5C2@comcast.net>
 <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
 <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
 <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de>
 <cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
 <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de>
 <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com>
 <87h6gazafa.fsf@igel.home>
 <CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com>
 <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net>
 <CAH8yC8=cXn5==_aV=2tW7jfnjrf3umKNAFT0cOgpjNBbGBru-w@mail.gmail.com>
 <7515b86c-f5d1-49fc-a462-8f9005bc462f@cs.ucla.edu>
 <87y19mxkog.fsf@gentoo.org>
Content-Language: en-US
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
In-Reply-To: <87y19mxkog.fsf@gentoo.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 4/9/24 14:58, Sam James wrote:
> Meson doesn't allow user-defined functions

Meson has ways to execute arbitrary user-defined code, so it's not 
immune to this sort of exploit.

It's of course better (all other things being equal) to use a build 
system with a smaller attack surface. However, any surface of nonzero 
size is attackable, so I'm not convinced that Meson is significantly 
safer against a determined insider. Although the xz exploit was tricky 
and is now famous (hey! the front page of the New York Times!) 
fundamentally it was sloppy and amateurish and it succeeded only because 
xz's project management was even sloppier.

Yes, we need to defend against amateurish attacks. But we shouldn't 
waste valuable developer time on defenses that won't work against 
obvious future attacks and that will likely cost more than they'll 
benefit. That's just security theater.