From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 9358F3847718 for ; Wed, 3 Apr 2024 08:08:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9358F3847718 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9358F3847718 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712131718; cv=none; b=x0dQXGiGuFDg/8Bv6h/jO8NflgdKEiA8kTGoeNxhbyMuYEpnYUKDtXUa/tqF/rVmoB4m+EMaxYcI31LjuwcfUJZ/Yx4SD2lSWqsE+80NzXW92h5YDMVBIUfYCIJtHk5fIp6aln+hgOjRkNiUqvdYiXxFo7M28xWRFrgHhzCxdVA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712131718; c=relaxed/simple; bh=0JMcQLhBeedB61RRwm+96/YLEm1FQPNdY3do6U8WajY=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=Gl+x4vymJxM34ZaUzE18zYg4uSsu5iyHsfri6krMNwmEpMX13n1rNNwkVJ18Xv3hFeet1hhPRXBDq34kppVhRlBdmYFfT6qlMcxb304XfWOzpYj6/QQosFoELvBxsw+DQEnVpwcHEDmA9uYVbgrgVtrwKY4XhPjReT0PJJY+Bw4= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712131717; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lcXrdL9vXwXYm19qwBCp1DAYctzMrBWxC9/tyCIUau8=; b=Vg6MWfj3JZoC8NUh03sQj7F86rPKCcSYKO69U/G+IDWyzdi/6o1U+unAAB0LkP8ILnVjs+ W1rb66tcFc1c6Au341bcoZJpfehfZNN8xMOAImI+x4qxildXl3daSE2/0qnOtnmRiIcWjc tsfV6Fd0dvp0U7NmYgWi6eddZjOmQv8= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-624-euJWgdpzPG-itRXbouqZ-g-1; Wed, 03 Apr 2024 04:08:34 -0400 X-MC-Unique: euJWgdpzPG-itRXbouqZ-g-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CDB201C54034; Wed, 3 Apr 2024 08:08:33 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.193.76]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 13C9A492BD7; Wed, 3 Apr 2024 08:08:31 +0000 (UTC) From: Florian Weimer To: Guinevere Larsen via Overseers Cc: Sandra Loosemore , Mark Wielaard , Guinevere Larsen , gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Subject: Re: Sourceware mitigating and preventing the next xz-backdoor In-Reply-To: <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> (Guinevere Larsen via Overseers's message of "Tue, 2 Apr 2024 19:08:59 -0300") References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> Date: Wed, 03 Apr 2024 10:08:26 +0200 Message-ID: <87il0ykgw5.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: * Guinevere Larsen via Overseers: > Beyond that, we (GDB) are already experimenting with approved-by, and > I think glibc was doing the same. The glibc project uses Reviewed-by:, but it's completely unrelated to this. Everyone still pushes their own patches, and there are no technical countermeasures in place to ensure that the pushed version is the reviewed version. Thanks, Florian