From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=ZBt7=LO=gentoo.org=sam@sourceware.org>
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	by sourceware.org (Postfix) with ESMTP id 2AFF738754A1;
	Tue,  9 Apr 2024 22:10:33 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2AFF738754A1
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2AFF738754A1
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:470:ea4a:1:5054:ff:fec7:86e4
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712700635; cv=none;
	b=fyZ5Pj0wfE0jubDIkjUI/zx4GocPdgE9DUE0R91AVHQHfZAodPnWpQ8sY9uAwIl0CFtAY0tQrHLRP1iCFerbeAJosEFLz3zJSRCwC5YB37h0corhAfuPYuIzmlGsdxxo7ymJyX47yBf84v3yQbpsUZka8bfzwTwETHCPrUmYngk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1712700635; c=relaxed/simple;
	bh=mP2T54dMntHqVkwzt9OJhxSL7S+z5iGJbZrcXAVknmQ=;
	h=From:To:Subject:Date:Message-ID:MIME-Version; b=XxMuG/S465yJ5+0LAAjkcmBwuVbIi+baeksi+dN15e1ZVIY0dTpF2eD7ZUPS5kgCf3u5eT2lmVLQRkKfZbqjxFn2B7RvkBgN+QrCFZiGGI2Z+MYAQ7gZ7XwS2h/d3higeO7/A7xHPeC5qqx7DZm36Kefb5HUp7Thil+dO8DF1wk=
ARC-Authentication-Results: i=1; server2.sourceware.org
From: Sam James <sam@gentoo.org>
To: Jonathon Anderson <anderson.jonathonm@gmail.com>
Cc: Paul Eggert <eggert@cs.ucla.edu>,  noloader@gmail.com,  Paul Koning
 <paulkoning@comcast.net>,  Andreas Schwab <schwab@linux-m68k.org>,
  Michael Matz <matz@suse.de>,  Martin Uecker <uecker@tugraz.at>,  Ian
 Lance Taylor <iant@golang.org>,  Sandra Loosemore
 <sloosemore@baylibre.com>,  Mark Wielaard <mark@klomp.org>,
  overseers@sourceware.org,  gcc@gcc.gnu.org,  binutils@sourceware.org,
  gdb@sourceware.org,  libc-alpha@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
In-Reply-To: <80e3a84930065d749169529d99afd7c251a5edc3.camel@gmail.com>
	(Jonathon Anderson's message of "Tue, 09 Apr 2024 15:03:59 -0700")
Organization: Gentoo
References: <20240329203909.GS9427@gnu.wildebeest.org>
	<20240401150617.GF19478@gnu.wildebeest.org>
	<fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com>
	<12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
	<FC0B14DF-0B05-4896-B70F-7D994961D5C2@comcast.net>
	<CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
	<6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
	<8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de>
	<cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
	<41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de>
	<4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com>
	<87h6gazafa.fsf@igel.home>
	<CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com>
	<62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net>
	<CAH8yC8=cXn5==_aV=2tW7jfnjrf3umKNAFT0cOgpjNBbGBru-w@mail.gmail.com>
	<7515b86c-f5d1-49fc-a462-8f9005bc462f@cs.ucla.edu>
	<80e3a84930065d749169529d99afd7c251a5edc3.camel@gmail.com>
User-Agent: mu4e 1.12.2; emacs 30.0.50
Date: Tue, 09 Apr 2024 23:10:26 +0100
Message-ID: <878r1mxk4t.fsf@gentoo.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

--=-=-=
Content-Type: text/plain

Jonathon Anderson <anderson.jonathonm@gmail.com> writes:

> On Tue, 2024-04-09 at 14:50 -0700, Paul Eggert wrote:
>
>  On 4/9/24 14:40, Jeffrey Walton wrote:
>
>  Code provenance and code integrity was not enforced. Part of the problem is the Autotools design. It is from a
>  bygone era.
>
>  No, Andreas is right. This isn't an Autotools-vs-Meson thing.
>
>  Most of the Autotools-based projects I help maintain would have been
>  immune to this particular exploit, partly because they don't maintain
>  their own of Gnulib .m4 files. Conversely, any Meson-based project that
>  had the same sort of out-of-repository sloppiness and lack of review
>  that xz had, would be vulnerable to similar attacks.
>
> Xz doesn't either, the exploit was unique to the distributed make dist tarballs. Which is an Autotools quirk present in
> all Autotools projects.
>
> I won't deny that a project could use Meson and be sloppy, a project could use SSL/TLS/whatever and be completely
> insecure. But Autotools encourages and semi-requires this sloppy behavior, and CMake and Meson strongly discourage this
> behavior.

Indeed. Talking about things in the context of "how can we make it
easier to spot" is a good thing. Obviously if we're trying to resist a
state actor, things are very hard. It doesn't mean don't bother.

>
> -Jonathon

thanks,
sam

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZhW8018UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB
NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv
by5vcmcACgkQc4QJ9SDfkZBDdQEAvqOBttVsMC8ryEv/1NGktqs6ojkcTeuJQUv7
SBP8UEwA/2f+H2tcAQeQLfRxWE5OpwDw8Y1eTmJ08DabUN5/kScI
=wbXJ
-----END PGP SIGNATURE-----
--=-=-=--