From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=WQh1=LP=gmail.com=anderson.jonathonm@sourceware.org>
Received: from mail-vk1-xa2b.google.com (mail-vk1-xa2b.google.com [IPv6:2607:f8b0:4864:20::a2b])
	by sourceware.org (Postfix) with ESMTPS id 160A03870876;
	Wed, 10 Apr 2024 18:47:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 160A03870876
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 160A03870876
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::a2b
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712774883; cv=none;
	b=F3O3TY/MOf+/xC/oLNwmLuepZ9XQ8ORUAwLCw/lNgADVOkz1QX7+zEX+a4EWWN33TsjC0G4x5ZwwZX3E1IP4Bj2Be5bsTPoE/GOM6kauNPRj4fYRq5c7a/bullRVLs7+J0fA7WWBgaphftd+QvkVTR+FSHQt2FrO9I2KI05uWYg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1712774883; c=relaxed/simple;
	bh=qAyZ7AsL7qtwcAQoTFqH1wrJtT58A/wvUUWYdB9RGuk=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=C8xSERMUf7LGvELLLGAYSyjDZO0vjRqdZEJX/A97IzXnHdUd+UyAzQAJw17Vt/w1dR2DkM7Agf+H/ljqtZYqKnCOgxPCswMes6J2VyWOL21V44Dc5OyNk3BL1/LUjosbgSs9pz8GJ/V3yFsBxCfYMAUb6bpggwB6g+mZDWQi6QM=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-vk1-xa2b.google.com with SMTP id 71dfb90a1353d-4dac88c79f2so1478065e0c.1;
        Wed, 10 Apr 2024 11:47:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712774870; x=1713379670; darn=sourceware.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=8JTA1ryzK0+I00+m6LayfdgCue/uytdy0NMVrGQDV80=;
        b=Ws2FZxCXFDkKsGxLWJJSwWS+FS+Fk6ya4OZCraqnEN+/GQAHaQ06RxeJYIEAiL/kha
         5zWlk68C+EDk/0QjGfUbu58bYaw802q0gGCNG0OSrHp+Gd0VYPfr20hK2UzdEZyhDtFv
         qfDWxb1ynq2xxM2B3SYvy+yQW1zh4RSZuYwd62d9TnOKAoGWn0UzFHqtgxnxTEKVzXEa
         0OkzD8VUlhk6X6jdtJKfvxaxuQ39WWC7Q8ZCichCs42a7J3Ay/zsO2z2x96NvH2L0ost
         3pi/CZ5BJIaa4hf/0R3JGFxGgEFPQD7k8YRD2BcW0/nPrsP2reEzR6fau+WGOwO4y+nR
         QTsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712774870; x=1713379670;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8JTA1ryzK0+I00+m6LayfdgCue/uytdy0NMVrGQDV80=;
        b=UJiyFqH2O11tQhnU2TEgASIjR7G+qZdtGepNCnC5Lod3cN6rfp1PdD2YI7LUg9OPwZ
         iNw8QT/m5mpPhYTspyKkk2CMAOlTlwcGY88qhNoF46UrAZ8wLjOVSB4ZVVJO5Vmhs2+i
         prjMyyWE+fgWgw0iXTtPEOS5VOFAuE3jraR+VmzGe8dr/TBTiIL8TszzVrB1ntcS7Db4
         xTHdmmsrRkUvDY9PmxfCHHBW/ck97k07sdqBR9H7YDQYo13XcB32OIpoUjpEozE5pIg+
         Z/mD7lR04rkzXRwRkBU2IvjLBtv3X1BA0uUl1ISnoa/nhBoljN7n5tM/egNhRHrLXGqT
         eUYQ==
X-Forwarded-Encrypted: i=1; AJvYcCV2dYIO24cJo8TvWzsXFKP5Qa2L7klee5HckMP/vAOt7W6FP2IjT+G2LcAQWTrNXLmmPoxOJJ7uUxts8zHXT7c+xQt2eefBAyQ3hQmhxoX9D6TEqwvmIs+iKQX730oXhUCzjUPHL54YB1k3iuJ5v8LmMxHNRkzB
X-Gm-Message-State: AOJu0YwYUCahPBGBCRd6InTiWntjDuynXkV5wtpNyOVKE4bF+39Yuzog
	fgafCwe1wcVwBrJd4dKhktbLqxJ0MAY1HUXli0t7D690iBI8/Ibde6fpoi1uP7jjNXw8ifcXYbl
	nPzY2WXG5p2zAT9v8CfKAsOZiC2k=
X-Google-Smtp-Source: AGHT+IGV0M7EebTJTgucTZNY6XGCrhBA2OqhYH2TOvNj+lobdlpvb68woOEmsJZmJ3UYm5IwIHgkb8nlT5OeLvL7WXk=
X-Received: by 2002:a05:6122:4582:b0:4da:aabe:6f6c with SMTP id
 de2-20020a056122458200b004daaabe6f6cmr4028839vkb.7.1712774869976; Wed, 10 Apr
 2024 11:47:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
 <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
 <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
 <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com>
 <87h6gazafa.fsf@igel.home> <CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com>
 <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com>
 <ZhadlPZZtCq9IDZv@elastic.org>
In-Reply-To: <ZhadlPZZtCq9IDZv@elastic.org>
From: Jonathon Anderson <anderson.jonathonm@gmail.com>
Date: Wed, 10 Apr 2024 11:47:37 -0700
Message-ID: <CAO_N0o3_zpW1AnzhrXJCsvmmji7cj2pab2sPN70Ha1iB7NbhrA@mail.gmail.com>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
To: "Frank Ch. Eigler" <fche@elastic.org>
Cc: Overseers mailing list <overseers@sourceware.org>, Paul Koning <paulkoning@comcast.net>, 
	Andreas Schwab <schwab@linux-m68k.org>, Michael Matz <matz@suse.de>, Martin Uecker <uecker@tugraz.at>, 
	Ian Lance Taylor <iant@golang.org>, Paul Eggert <eggert@cs.ucla.edu>, 
	Sandra Loosemore <sloosemore@baylibre.com>, Mark Wielaard <mark@klomp.org>, gcc@gcc.gnu.org, 
	binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org
Content-Type: multipart/alternative; boundary="000000000000b490c00615c27963"
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <overseers.sourceware.org>

--000000000000b490c00615c27963
Content-Type: text/plain; charset="UTF-8"

On Wed, Apr 10, 2024, 07:09 Frank Ch. Eigler <fche@elastic.org> wrote:

> Hi -
>
> > In Autotools, `make dist` produces a tarball that contains many
> > files not present in the source respoitory, it includes build system
> > core files and this fact was used for the xz attack. In contrast,
> > for newer build systems the "release tarball" is purely a snapshot
> > of the source repository: there is no `cmake dist`, and `meson dist`
> > is essentially `git archive` [...]
>
> For what it's worth, not every auto* using project uses "make dist" to
> build their release tarballs.  If they can get over the matter of
> including auto*-generated scripts being located in the source repo,
> then indeed a "git archive" is sufficient.


This is very true, however a few words of caution: IME this is a
maintainability nightmare. Fixing patches that forgot to regenerate,
regenerating on rebase, confirming everything is up-to-date before merge,
etc etc. It can be handled, I have, but it was painful and
time-consuming.The hardest part was ensuring everyone was actually running
the "right" version of Auto*. (
Did you know Debian ships a different version of the *.m4? That caused more
than a few hours lost to confusion:
https://sources.debian.org/src/autoconf/2.72-2/debian/patches/add-runstatedir.patch
)

To make matters worse, this behavior adds a lot of near-duplicate code and
large unreadable changes to patches. For my team that meant we didn't often
read the generated parts of patches with build system changes, and
definitely not close enough to detect any malicious injections. Which
should make everyone here squeamish given the recent xz attack.

Thanks,
-Jonathon

>

--000000000000b490c00615c27963--