From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) by sourceware.org (Postfix) with ESMTP id 27F5F3884518; Tue, 9 Apr 2024 22:00:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 27F5F3884518 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 27F5F3884518 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:470:ea4a:1:5054:ff:fec7:86e4 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712700049; cv=none; b=TJmxu4fyAORMeF6yYoZdrcZubtj01Wgd0Y+rXOkS7sM+1ttoTR6SNLkg+ykZjuMzodWNQXURV2ekgZ470LU6eijM7cZUUiJtnse3kBYfxy9mzpIdFWRcvTM+S/KoJzDH4hXHxVTs89OdvSOuWzErAadyiTEpNzl83Qxsu8r1rrU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712700049; c=relaxed/simple; bh=xcHdvf+UK4N1d7Aepalc/gmh4Ruy2bpFnf/7kYT5tH4=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=pForK84wWyc7vps04leNGFnq9qc0Xcz8DHEZOq1/M77uQHsxV9LqNCmR5HJdqFWJL0F8jYVia8pLyXm2o5ysihDSTdz1xEbqWD+TRlzDpfsJXEKBos8aEPsUIGFM9tmbNv0lNhax6vPedO6j4s+sNDsAIgr+FJJIWJfFp8wFHqM= ARC-Authentication-Results: i=1; server2.sourceware.org From: Sam James To: Jonathon Anderson via Gdb Cc: Paul Koning , Jonathon Anderson , Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, libc-alpha@sourceware.org Subject: Re: Sourceware mitigating and preventing the next xz-backdoor In-Reply-To: <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com> (Jonathon Anderson via Gdb's message of "Tue, 09 Apr 2024 14:54:16 -0700") Organization: Gentoo References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com> User-Agent: mu4e 1.12.2; emacs 30.0.50 Date: Tue, 09 Apr 2024 23:00:39 +0100 Message-ID: <87pluyxkl4.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS,TXREP,URIBL_SBL_A autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jonathon Anderson via Gdb writes: > On Tue, 2024-04-09 at 16:11 -0400, Paul Koning wrote: >> >> On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc <[gcc@gcc.gnu.org]= (mailto:gcc@gcc.gnu.org)> wrote: >> >> > CMake has its own sandbox and rules and escapes (granted, much more of >> > them). But regardless, the injection code would be committed to the >> > repository (point 2) and would not hold up to a source directory mount= ed >> > read-only (point 3). >>=20 >> Why would the injection code necessarily be committed to the >> repository?=C2=A0 It wasn't in the xz attack -- one hole in the >> procedures is that the kits didn't match the repository and no >> checks caught this.=C2=A0 I don't see how a different build system would >> cure that issue.=C2=A0 Instead, there needs to be some sort of audit that >> verifies there aren't rogue or modified elements in the kit. > > In Autotools, `make dist` produces a tarball that contains many files > not present in the source respoitory, it includes build system core > files and this fact was used for the xz attack. In contrast, for newer > build systems the "release tarball" is purely a snapshot of the source > repository: there is no `cmake dist`, and `meson dist` is essentially > `git archive` > ([docs](https://mesonbuild.com/Creating-releases.html)). Thus for the > injection code to be present in the release tarball, it needs to have > first been checked into the repository. (Of course, one could modify it after, but the point here is that it's by design reproducible so any differences are suspicious, just to be clear.) > > In fact, packagers don't *need* to use the tarballs, they can (and > should) use the Git history from the source repository itself. In > Debian this is one workflow implemented by the popular > git-buildpackage > ([docs](https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gb= p.import.upstream-git.html)). The > third-party package manager > [Spack](https://spack.readthedocs.io/en/latest/packaging_guide.html#git) > clones directly from the source repository. Others may have support > for this as well, this isn't a novel idea. > > -Jonathon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZhW6iF8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZDTqQEA9FUVNwgFIVhtVyrTsn9kuioFct9p5uOgicoJ JmXgPFQA/RjfvBuOQo9ElLuu3kG/wKnou6zdoT8W0W/WMk59fyED =Bd3Z -----END PGP SIGNATURE----- --=-=-=--