From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 789463858409 for ; Tue, 2 Apr 2024 22:22:01 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 789463858409 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 789463858409 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712096523; cv=none; b=i3ph42Ou6780Q7doueiK0LKgu6/Af5/qSVLnjH6IZH4Vo8CdzyBh21JT/nRktILoZ9NwL7/wA1loO1IqLfAbEa8ycOobvRAu6wbD7hgQTRGzkDRkqw/3r4UmFoB1AysBaKhHAqNDnEb1TzGtd8D7gZ8qsIEbnr5eQcNpCvqkiok= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712096523; c=relaxed/simple; bh=w0QjqugXpzooFfhgNo5SWpeBVNdJ4F5B03MUCwaS3dY=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=v0bOnGPBjvNCHUtj9SNza+hz/2ofBZ0EMl41J2vbeyP75/FkrjoPpsB5MaXqvorE7C8eAxTZJ1oJQk4oFLa0tZ4hoOJDTqEgpjK7dpqmnZ+7Lo4LAm1Eadf4oWhZWp2OcuKt+N9iq6tU5a3NSH7HfmKIAqPk0liJEMa2+C2io4U= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712096521; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=c25tg6zGZBy7V4FWo9DiWk893X14TMON2frzQLH0c74=; b=N6NTHt49o2LuY7ds3n4TJc6nqtHJ0BJmuaqj8/ExV9MyqT5GeFL43SuNsvUL3kydZdM/09 v1th3v9UctkGLRORdDQBxBmwN01txGBvIz93IIxFUlPn0s6Js68+5EXjThP+hEROFkQbQO 8nlN+dONCDUIRCweUDw3sDIHgtyp8lQ= Received: from mail-ot1-f69.google.com (mail-ot1-f69.google.com [209.85.210.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-591-WkSu3lEDMBqu7QWIUvKw-g-1; Tue, 02 Apr 2024 18:21:59 -0400 X-MC-Unique: WkSu3lEDMBqu7QWIUvKw-g-1 Received: by mail-ot1-f69.google.com with SMTP id 46e09a7af769-6e687248affso5746503a34.3 for ; Tue, 02 Apr 2024 15:21:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712096518; x=1712701318; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c25tg6zGZBy7V4FWo9DiWk893X14TMON2frzQLH0c74=; b=v8WxNx2O437N1r6N00Fx7y0RH8QMB7aTIR4cwgxhaa76Cp9r8p0LrTKOih4ws3bj9F yUnUKYXEC/KTVC/cFWCszquis9CFS5dajyks/sfO8a8BynBFgqr1wP0fyYxqZnV25IMQ omBGRJMd+/sAUyhCL4+QQDTqHrb2XGg80b2z/uLtlmjJZpVpSZ9HV66XpwJ+/7eVmEz9 FWwez38q/Mbp1O+RnCBxRqUOCOVKyDIuUf3+NtjEiIvmtDKE2nBpZFbhOpPQuWlY8LiQ BIQXAPCWsbsCG0bXIyLJ6EfFnXcWMPuO/CwRmKk+a58Abb4+aN1kWDmynFmPXRx+2woi qpLQ== X-Forwarded-Encrypted: i=1; AJvYcCUdhMBQQeqtw2NQrtPn1Uq5fWH+nsFpyAsU8inZoZm/nTCEfmuw6I903Cbe0JBxYnRRWdOaZBSbA+x1F/ZLZKM4SuijXJdfaww= X-Gm-Message-State: AOJu0YwZbHia795fehJFN9NYOaA8kkqKTSg+m8Yl68UFB3vKECE5hU/Y 08xpbGK3wIwjTKXbeDtaUk+9FuHS1UGNvGEFIvLTUXPvEPz/nRw9oYMZqa1iui/MCZYnRoTcqY7 GNdjECoqfjKhMlHOcAy1EkJefDNQafPA+PoHoibzBzlTQv9N2rtPd08zfKuB2izQC0P0qaAg3sz sDNGjsaQEDug27o9Q487awJ3lsyGsU0zDB7V/xpRL1yQ== X-Received: by 2002:a05:6830:1e93:b0:6e8:9b77:e7a2 with SMTP id n19-20020a0568301e9300b006e89b77e7a2mr6850951otr.15.1712096518719; Tue, 02 Apr 2024 15:21:58 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFKanyiG26c3+yKAcz9o+URIX/UvcoN5eOknWjLtNhN5ZH6Q42JGIV/WPPwO6ht8vtRl1Yix0ZH3kSGtcSx7lw= X-Received: by 2002:a05:6830:1e93:b0:6e8:9b77:e7a2 with SMTP id n19-20020a0568301e9300b006e89b77e7a2mr6850939otr.15.1712096518472; Tue, 02 Apr 2024 15:21:58 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> In-Reply-To: <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> From: Guinevere Larsen Date: Tue, 2 Apr 2024 19:21:47 -0300 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Sandra Loosemore , Mark Wielaard , overseers@sourceware.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/alternative; boundary="000000000000ce19a206152488a6" X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --000000000000ce19a206152488a6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 2, 2024 at 7:09=E2=80=AFPM Guinevere Larsen wrote: > On 4/2/24 16:54, Sandra Loosemore wrote: > > On 4/1/24 09:06, Mark Wielaard wrote: > >> A big thanks to everybody working this long Easter weekend who helped > >> analyze the xz-backdoor and making sure the impact on Sourceware and > >> the hosted projects was minimal. > >> > >> This email isn't about the xz-backdoor itself. Do see Sam James FAQ > >> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 > >> (Sorry for the github link, but this one does seem viewable without > >> proprietary javascript) > >> > >> We should discuss what we have been doing and should do more to > >> mitigate and prevent the next xz-backdoor. There are a couple of > >> Sourceware services that can help with that. > >> > >> TLDR; > >> - Replicatable isolated container/VMs are nice, we want more. > >> - autoregen buildbots, it should be transparent (and automated) how to > >> regenerate build/source files. > >> - Automate (snapshot) releases tarballs. > >> - Reproducible releases (from git). > >> > >> [snip] > > > > While I appreciate the effort to harden the Sourceware infrastructure > > against malicious attacks and want to join in on thanking everyone who > > helped analyze this issue, to me it seems like the much bigger problem > > is that XZ had a maintainer who appears to have acted in bad faith. > > Are the development processes used by the GNU toolchain components > > robust enough to cope with deliberate sabotage of the code base? Do > > we have enough eyes available to ensure that every commit, even those > > by designated maintainers, is vetted by someone else? Do we to harden > > our process, too, to require all patches to be signed off by someone > > else before committing? > > > > -Sandra > > > > > What likely happened for the maintainer who acted in bad faith was that > they entered the project with bad faith intent from the start - seeing > as they were only involved with the project for 2 years, and there was > much social pressure from fake email accounts for the single maintainer > of XZ to accept help. > > While we would obviously like to have more area maintainers and possibly > global maintainers to help spread the load, I don't think any of the > projects listed here are all that susceptible to the same type of social > engineering. For one, getting the same type of blanket approval would be > a much more involved process because we already have a reasonable amount > of people with those privileges, no one is dealing with burnout and > sassy customers saying we aren't doing enough. > As someone helpfully pointed out privately, I expressed myself badly here. I meant that no one project is experiencing that for the whole maintainer community. individual maintainers may, of course, be going through difficult times and/or customers, but a single maintainer needing to step down won't halt the whole project, leading to the rushed trust and thus exploitation that happened for the XZ project. > Beyond that, we (GDB) are already experimenting with approved-by, and I > think glibc was doing the same. That guarantees at least a second set of > eyes that analyzed and agreed with the patch, I don't think signed-off > would add more than that tag (even if security was not the reason why we > implemented them). > > -- > Cheers, > Guinevere Larsen > She/Her/Hers > > --000000000000ce19a206152488a6--