From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resqmta-a2p-658785.sys.comcast.net (resqmta-a2p-658785.sys.comcast.net [IPv6:2001:558:fd01:2bb4::a]) by sourceware.org (Postfix) with ESMTPS id ECB833861011 for ; Tue, 2 Apr 2024 20:20:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org ECB833861011 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=comcast.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=comcast.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org ECB833861011 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd01:2bb4::a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712089207; cv=none; b=N+T6cNdJaNuBN5PiMqYJ9tXDkeWRUANR3Nd3jgr0gCUkmV4kvFud+g+yydfymaGlD8nHnyWSLZTDthJllf3mr9xQ6JpSmMURKay4feek0H8Z495RT8YzOC2VCQQHc6eiJVN0vQjCAgqIZNNyuM6KBeYM8UCdE3RTrkHafV8fZsY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712089207; c=relaxed/simple; bh=coDjvlKCghEDpWgzXS/1CJs2r/889+1YAMQcBPRUA2U=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=noTdLXDxp1lHjqc7CqK9liAT0wzNtabYUU9nwT/mbMSbFjebMHSKzfXSbjDMOFyyLiqizLGNRC8HGlHfPSek10xzzqvDXo3A/t16RteRt2ej7KGI/acj4VBn2Aa2QdtQ7qHg3Da4nErq7o58VcI3a8kAeWBCNVDPr0lCmA+SnwU= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-a2p-646966.sys.comcast.net ([96.103.145.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resqmta-a2p-658785.sys.comcast.net with ESMTPS id rhgtrxsaUXd6Brkc1rV4Cb; Tue, 02 Apr 2024 20:20:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1712089205; bh=Nt77fcHwTS6sWcYHJv+AOq0ZExIf/2/x2/qWmsaFP7w=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To:Xfinity-Spam-Result; b=SBe0DZ40Ta12I79gHwg9x2EhsxARVvaMKZ6ZywE6KSit6T150Vihy/mnI4f68mSzF vQv9jQNR7s735y4pRsLdd/iL59KMAWZ6NkGP8tJMyuI4bETRCL+0buBVMb3mlvmRqX +E12InwTZskaIapeuoMUFYT9yL30nntHSjjZAgOEDAlYjLvlyqE1dThzzhplDAgF+H 9zsiLWofnwRjMHM2XYqSUk6Qmdc38d5CkTm2k8ly1220IH1TYK8cuUv5bRYXVYq+QX 8Y1pOGyb4WEnqTI/G2PsesHeG336181i/crw6wunT7BGie6/SmhgxclZZUaIDPbPvz b8+TaJCAcY48g== Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-a2p-646966.sys.comcast.net with ESMTPSA id rkbxrnEGAVDkArkbyrUOPJ; Tue, 02 Apr 2024 20:20:05 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Paul Koning In-Reply-To: <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> Date: Tue, 2 Apr 2024 16:20:01 -0400 Cc: Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> To: Paul Eggert X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfGtIo99Y13JUUixE4xyi3dLeif45FMMHaCuCmS492P5CvHSKkEdHY5yZUaEGhV5XGbh70dWkX+pYbOIQtGSLA6Zb469Hk4phbReV2q1Rr4kI3KxgY/1N SCR9Z7tewtcAOgVw20z9hgi9MzddC6OYH2GdnI/upp4pJt6n6hGm7HK0ik8gNAfG8E978OwLD+paiFKP0c8RLmUrs114ceSWEHafcHJU/O1EGDymSkcE8U7p l3RzxmXuy5fYkISOjA1+CGadB11oiHuDPmVisAj7e2N70y/54/NO2E4wwpGDjuZ2yiBqL/Wb3cFKGblXQMkcPP9tf4VAVAuLnPaMzA3gYkS+xxTCmiI31Wez eyJbJejwVEmuN7C/wngasPt2vBqNnCZP5/vVmlkiFHqTnuWc7n4Ke7nHanowV/gc5pobK8bh X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On Apr 2, 2024, at 4:03 PM, Paul Eggert wrote: >=20 > On 4/2/24 12:54, Sandra Loosemore wrote: >> Do we to harden our process, too, to require all patches to be signed = off by someone else before committing? >=20 > It's easy for an attacker to arrange to have "someone else" in = cahoots. >=20 > Although signoffs can indeed help catch inadvertent mistakes, they're = relatively useless against determined attacks of this form, and we must = assume that nation-state attackers will be determined. Another consideration is the size of the project. "Many eyeballs" helps = if there are plenty of people watching. For smaller tools that have = only a small body of contributors, it's easier for one or two malicious = ones to subvert things. Would it help to require (rather than just recommend) "don't use root = except for the actual 'install' step" ? paul