From: Guinevere Larsen <blarsen@redhat.com>
To: Sandra Loosemore <sloosemore@baylibre.com>,
Mark Wielaard <mark@klomp.org>,
overseers@sourceware.org
Cc: gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org,
libc-alpha@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Tue, 2 Apr 2024 19:08:59 -0300 [thread overview]
Message-ID: <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> (raw)
In-Reply-To: <fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com>
On 4/2/24 16:54, Sandra Loosemore wrote:
> On 4/1/24 09:06, Mark Wielaard wrote:
>> A big thanks to everybody working this long Easter weekend who helped
>> analyze the xz-backdoor and making sure the impact on Sourceware and
>> the hosted projects was minimal.
>>
>> This email isn't about the xz-backdoor itself. Do see Sam James FAQ
>> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
>> (Sorry for the github link, but this one does seem viewable without
>> proprietary javascript)
>>
>> We should discuss what we have been doing and should do more to
>> mitigate and prevent the next xz-backdoor. There are a couple of
>> Sourceware services that can help with that.
>>
>> TLDR;
>> - Replicatable isolated container/VMs are nice, we want more.
>> - autoregen buildbots, it should be transparent (and automated) how to
>> regenerate build/source files.
>> - Automate (snapshot) releases tarballs.
>> - Reproducible releases (from git).
>>
>> [snip]
>
> While I appreciate the effort to harden the Sourceware infrastructure
> against malicious attacks and want to join in on thanking everyone who
> helped analyze this issue, to me it seems like the much bigger problem
> is that XZ had a maintainer who appears to have acted in bad faith.
> Are the development processes used by the GNU toolchain components
> robust enough to cope with deliberate sabotage of the code base? Do
> we have enough eyes available to ensure that every commit, even those
> by designated maintainers, is vetted by someone else? Do we to harden
> our process, too, to require all patches to be signed off by someone
> else before committing?
>
> -Sandra
>
>
What likely happened for the maintainer who acted in bad faith was that
they entered the project with bad faith intent from the start - seeing
as they were only involved with the project for 2 years, and there was
much social pressure from fake email accounts for the single maintainer
of XZ to accept help.
While we would obviously like to have more area maintainers and possibly
global maintainers to help spread the load, I don't think any of the
projects listed here are all that susceptible to the same type of social
engineering. For one, getting the same type of blanket approval would be
a much more involved process because we already have a reasonable amount
of people with those privileges, no one is dealing with burnout and
sassy customers saying we aren't doing enough.
Beyond that, we (GDB) are already experimenting with approved-by, and I
think glibc was doing the same. That guarantees at least a second set of
eyes that analyzed and agreed with the patch, I don't think signed-off
would add more than that tag (even if security was not the reason why we
implemented them).
--
Cheers,
Guinevere Larsen
She/Her/Hers
next prev parent reply other threads:[~2024-04-02 22:09 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54 ` Sandra Loosemore
2024-04-02 20:03 ` Paul Eggert
2024-04-02 20:20 ` Paul Koning
2024-04-02 20:28 ` Ian Lance Taylor
2024-04-03 6:26 ` Martin Uecker
2024-04-03 14:00 ` Michael Matz
2024-04-03 14:14 ` Paul Koning
2024-04-03 14:32 ` Martin Uecker
2024-04-03 14:46 ` Jeffrey Walton
2024-04-03 16:02 ` Michael Matz
2024-04-03 16:26 ` Joel Sherrill
2024-04-03 16:32 ` Martin Uecker
2024-04-03 16:51 ` Andreas Schwab
2024-04-03 16:56 ` Jonathan Wakely
2024-04-03 18:46 ` Jonathon Anderson
2024-04-03 19:01 ` Martin Uecker
2024-04-05 21:15 ` Andrew Sutton
2024-04-06 13:00 ` Richard Biener
2024-04-06 15:59 ` Martin Uecker
2024-04-04 13:59 ` Michael Matz
2024-04-09 16:44 ` anderson.jonathonm
2024-04-09 17:57 ` Andreas Schwab
2024-04-09 19:59 ` Jonathon Anderson
2024-04-09 20:11 ` Paul Koning
2024-04-09 21:40 ` Jeffrey Walton
2024-04-09 21:50 ` Paul Eggert
2024-04-09 21:58 ` Sam James
2024-04-09 22:15 ` Paul Eggert
2024-04-09 22:22 ` Sam James
2024-04-09 22:53 ` Paul Eggert
2024-04-09 22:03 ` Jonathon Anderson
2024-04-09 22:10 ` Sam James
2024-04-09 21:54 ` Jonathon Anderson
2024-04-09 22:00 ` Sam James
2024-04-10 14:09 ` Frank Ch. Eigler
2024-04-10 18:47 ` Jonathon Anderson
2024-04-10 19:00 ` Frank Ch. Eigler
2024-04-10 10:26 ` Claudio Bantaloukas
2024-04-02 22:08 ` Guinevere Larsen [this message]
2024-04-02 22:21 ` Guinevere Larsen
2024-04-02 22:50 ` Jeffrey Walton
2024-04-02 23:20 ` Mark Wielaard
2024-04-02 23:34 ` Paul Koning
2024-04-03 0:37 ` Jeffrey Walton
2024-04-03 8:08 ` Florian Weimer
2024-04-03 13:53 ` Joel Sherrill
2024-04-04 10:25 ` Mark Wielaard
2024-04-10 16:30 ` Alejandro Colomar
2024-04-21 15:30 ` Mark Wielaard
2024-04-21 20:40 ` Alejandro Colomar
2024-04-21 20:52 ` Alejandro Colomar
2024-04-30 11:28 ` Alejandro Colomar
2024-04-03 14:04 ` Tom Tromey
2024-04-03 14:42 ` Jeff Law
2024-04-04 10:48 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com \
--to=blarsen@redhat.com \
--cc=binutils@sourceware.org \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
--cc=sloosemore@baylibre.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).