From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) by sourceware.org (Postfix) with ESMTPS id E3A263847718; Wed, 3 Apr 2024 18:46:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E3A263847718 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E3A263847718 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:4860:4864:20::31 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712170001; cv=none; b=LeQWRPt/55AteHv8itaMc94embvKSfwU8mq0ACtTjBNeX3nFUiaOATMrwE3kjjUQsGOmUMiB5M1sKkTQrkI3klGzZaOjOsOyuWdjdWhznOs20CJ2eEi/cPcMMAQHABBNP6CW7mLTLwB7TWnwGsTx7fhV3t9qwbuebVpOrr/UEO8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712170001; c=relaxed/simple; bh=zA44X0tUfkNm5w6SuTgub++TkTygwVePaDUT4qC6/Ic=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=vas2NdnzwrTlQCnJX1OKVptNK5x6v97Put4yUgYMWFhMW5xW2D61LDl11xZ0PdT5o2PMdk64ivNsZW48IgpiHz/bBeG5Jt/wrFwYWb+GmCUrB9GlCAHWdbvFPGduvdbRUJd0rULtVeA0vjcrnIJJrmy5qiEOhmR6ezhX+JrYpEI= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-222b6a05bb1so111437fac.3; Wed, 03 Apr 2024 11:46:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712169997; x=1712774797; darn=sourceware.org; h=mime-version:user-agent:autocrypt:references:in-reply-to:date:cc:to :from:subject:message-id:from:to:cc:subject:date:message-id:reply-to; bh=McdHe9vzcTXk9tz43Izn8d3ZdXWq/V/k4prObYEhBvI=; b=RwZzziPPi7hTL3JUhT4S1AxyWE/Ye7GzSkemecG4/8POZV9hYptuzCkJjdG427+fFB yWZZAD4GJiRTAQJSocuAwJ4OMnEayLvqd2cH7/7qwynCmqdWDzwxBQImC9vdNQFSC1PY FxwsxmrVenacivRBvprl1U7r9sgw1qcNz2MJs4JUJ2l+X0HUsOAT0Ou3UhhDbniV/CVV 3uqJ7IUVDqkNY/zLuVsBvm9TNth6R7FbGfTGwNK8LZa4fnT06jCBvHZZTXMxhvbtThms cyy87Qyx2Efz2yQMWapUE65ij+Vk3qGKZcQswAPINz+DcjNU9kTI2aNw9ltTskkFrA+r bndA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712169997; x=1712774797; h=mime-version:user-agent:autocrypt:references:in-reply-to:date:cc:to :from:subject:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=McdHe9vzcTXk9tz43Izn8d3ZdXWq/V/k4prObYEhBvI=; b=BFAQViKPocC9jWxF4IyYstUsX6UmT7AQ22PI7Kb+Z0OBD8W5AyUEgbSVQzMKL8GsrG KDWoWcwpI9vf9ZQqniL4gOmGWtPlwpd/oLHKg3/4WN7otpwKyvvfglyv39WpyEaAVYeP Oeii5nMBtV8mQl0e6hj+AyS1L1pvCXAnkT0iIERY6X1VQdpe1LuqqGLB8V/eO43MSamb KQFVxDStok2ZHdDefgUV1EYivFlnTTPzSdS6NsXgceFq6sfGWVOxhVmFhvsD8Vr6s7Dz +SbHyNnXfeLYWcdVT6z3R+aJodL0dakW8vUmw2zPi0znNE0K1gShAnNswcTPnM8ktTPz tlEA== X-Forwarded-Encrypted: i=1; AJvYcCXn2JfxW03RJEqm2zHgC8Fx8V6d8jiWgRWYwNDHwdzhwTQPi1KZ5rKIi3X1WTGlx5H0QFwiizrdzUM7Zq5bH6+uXT9mtDtiGYG5OtmTeTRoY1723K1zujx8z7eqn6YpRUu+95lsuikMYvFQc+NiHW3QsQ+zyxM98WI3l9hzzl2P1rXI1yLB23cuhmTdxKKA2Ss= X-Gm-Message-State: AOJu0YyL4eGeZK5K74NasKrOoHpBHrL43CSNNk/HpDjkbv6mu/cxxmQY ElgkuFLWmh4LzW69BU9bIatQijS5zIfXhw5eh/qm7/JXA4RUut2h5RhfWpEUqvA= X-Google-Smtp-Source: AGHT+IGHus6NT8PqVMYMXq4VASBbPh4FARDA+7JDcNCpowEDornBprWwEbxFRElsdFK+52emgiXtrA== X-Received: by 2002:a05:6870:95a7:b0:22e:1f18:6e96 with SMTP id k39-20020a05687095a700b0022e1f186e96mr207805oao.14.1712169997286; Wed, 03 Apr 2024 11:46:37 -0700 (PDT) Received: from ?IPv6:2601:2c3:c37e:13fc:c573:da09:cc3b:3d59? ([2601:2c3:c37e:13fc:c573:da09:cc3b:3d59]) by smtp.gmail.com with ESMTPSA id pn23-20020a0568704d1700b0022ea6353216sm185655oab.39.2024.04.03.11.46.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 11:46:36 -0700 (PDT) Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Jonathon Anderson To: Michael Matz , Martin Uecker Cc: Ian Lance Taylor , Paul Koning , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Date: Wed, 03 Apr 2024 13:46:36 -0500 In-Reply-To: <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> Autocrypt: addr=anderson.jonathonm@gmail.com; prefer-encrypt=mutual; keydata=mQINBFzK/e0BEADB++YxxCfflgwNJYptT/Vx9yBPseMSXuDKrw0NSBN8+H50vxsdKq9WFeSyjfzsznSj7YNUy3ltmNb5xd+dKmmCPaM3s9WN0dfIeyKY1XcufbdEj0n/f+QjYV7DD1R1o5A2NwH+gQozNKuUsFyXajT3OsjyXXubNsdvjKz8eXgWAmS3WZ8bQP00VGP0t8hYkVpu9AJN2bvy2lML5lo6/JwDAa8gBjBd3CBaDVPhVdPNX7rkzfRsWGvIbUKE6tWLAayOmsSM39KXugNeXoDzFNabCx4MZjMUeNsOTGzor1rpkZl8IWkPvaVAa7xl8QCFuOksv5QQTpt2qWNpUKxw7oblQ10f3oFf6jGM4CZpCYM6nHGAPSxlfJKHQcop3+puA0OPmIbs9ObSDk25b2GkVqNEOn5dsZ4Ymb717AFZSBXoLA2izJJLmnqhvAxnQI+idteCdtxnQNYOfML6I05vvne+koUEE5qcnMAMEovQm4Lw75N99JRWqeOU53w1xBS/XD7Fhe/tf5gQLTvhWJw8CnBf0KOam2hOpvw9TERFOE4WGZ4STMSwnWTE6ev3Z6HmraSmrGCp7La5JuxLodOfBGrYF2Jy3+0ibPRXwc+nH2MYeWUA/mIGS2+WrHuJnrNPAFmjF3/ESWq2x1/JfO+dL4hQO0VWZ+saxnTv3J4zYjjHEwARAQABtDpKb25hdGhvbiBBbmRlcnNvbiAoYmx1ZTQydSkgPGFuZGVyc29uLmpvbmF0aG9ubUBnbWFpbC5jb20+iQJbBBMBCgBFAhsBCQsJCAcNDAsKAwUVCgkICwUWAgMBAAIeAQIXgAIZARYhBGbG9u3rLEbJXuewBzYJ3FAvdRSjBQJiZVHFBQkJXLrYAAoJEDYJ3FAvdRSjsGQP/0LrpKkq4beEW 4l3eo6B4F8G1Q3Um38aL7AMf8s0K1flAzqDCw8A1GyB4EFAweRpzQ23V2EzVbxYKZVBY YtNhx1AIhZFMsslE9lzBGsAuJgEJAMcPRYmQMM2+BVFcOIafCjl3pVUODrP9wqKDlpgnkdV4ipQMj3KWqZCNFns23PTI3+JlpGRyyBrvEpZ8WtIsm1JHCW3+r72wbFCrsZ6zziR6U/rr6QKBrPZkfUO7tUKCp0tkIMu8nLwkJoAoTVov2bgmuPaPnquRALxCefPKbujKFzcCH+PFfkjo+iciUQBk/gxsI2w8+pU0WeFn5C7mTyiYI1RK7+06umO+XIdaCJ5o0S6WhxBLSyYcxQqdUzO9zydRwYZqScm6InJKJ/HzTjFQEjlkjB9CpFl270CNhEFbGvOliL4pxrNpPcPktE9T0D2uab+ka36QW03teQeSPlkEoc2ci0uGftbRtIWuRWulVNGwlU6Aah52uFyFAFrYLVBjHe1AQPToDoHKYHNEcrE0FwATSolCCjRMiFgacJ02UNvCFcWnjbI8BN2VjA7mlEGVhxvw/n6nuXP6CVwGABJ2SxQvHYCnXIRP1+9bf7Wm2h2KqplMV1VaTlKFsL1H6R5sqyHgbOho9a6qx7M0RA7WPbGlN1kmY10FSIqtSNsXVxYHMXig3OtWwDc+YwVtCZKb25hdGhvbiBBbmRlcnNvbiA8amFuZGVyc29uQHJpY2UuZWR1PokCWAQTAQoAQgIbAQkLCQgHDQwLCgMFFQoJCAsFFgIDAQACHgECF4AWIQRmxvbt6yxGyV7nsAc2CdxQL3UUowUCYmVRzAUJCVy62AAKCRA2CdxQL3UUo8CvEACK7aD9HSwdAlcF3il3KZRYhkRZaTXyhUmQ7FpJd3phqe0POBDf19MwTZlS/nrgGwCl4yIerumiHp3vLktFusS/rboj1ggrLd0CqEvQ7wXK8W2agprquNSSodB88n5D3QNpZVEnsTJq4wTqyjrao+Hwa px7gFTOzYM3Zum8QC6EGLVrEajIOhUGsIsHHHkG9uYAyVpJ7goFeKyspR31esGJ9za1ki h6qqnSAlSGuGVFZWtTKF7VhqjPG5INl/QXqZF8XjQkFaNbnO6rXoarhXvGg366tW7BQY3wmcJqzdEBCZTIZWQ1rdgp1M19/wD4kk2xsSJZYwmlKXaiEmnnsqB03GlauB0wlbrzfFJMwlggArQUrzgsyev2klMWm7anh5ELhkqPxjGH++4uqfptwk2BQATrNK4L8AKPPK3wOe9GJQJ90WEleEK8NsO3uN7KAhDexWzBvrcbyYC3RkgyvaIdy16UwMmvOuPxvN5EaJiIcBV30h5eLZC1PMvMusYbu8Wx9Y64PShbpP96NC5QPXcHHmhiuRYJUKxvoaeCVbuVgEZMTKSOHngoaktcDjq0vWzoQjSvbAoQhhScbkpvKKAuGir19fQ0isYMRqT7tG6zYZXfsqvup1zF2YVlQODajoN6dVVlQP7mxttZfWfwKBZDvC7W4Z7sdquambP7ind4NA== Content-Type: multipart/alternative; boundary="=-XSS2Mvf0VfozMJp2dJX0" User-Agent: Evolution 3.50.3-1+b1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_SBL_A autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --=-XSS2Mvf0VfozMJp2dJX0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello all, On Wed, 2024-04-03 at 16:00 +0200, Michael Matz wrote: > > My take a way is that software needs to become less complex. Do=C2=A0 > > we really still need complex build systems such as autoconf? > > (And, FWIW, testing for features isn't "complex". And have you looked at= =20 > other build systems? I have, and none of them are less complex, just=20 > opaque in different ways from make+autotools). Some brief opinions from a humble end-user: I think the key difference here is that Autotools allows arbitrarily genera= ted code to be executed at any time. More modern build systems require the = use of specific commands/files to run arbitrary code, e.g. CMake (IIRC [`ex= ecute_process()`][2] and [`ExternalProject`][3]), Meson ([`run_command()`][= 1]), Cargo ([`build.rs`][4]).\ IMHO there are similarities here to the memory "safety" of Rust: Rust code = can have memory errors, but it can only come from Rust code declared as `un= safe` (or bugs in the compiler itself). The scope is limited and those scop= es can be audited with more powerful microscopes... and removed if/when the= build system gains first-class support upstream. There are other features in the newest build systems listed here (Meson and= Cargo) that make this particular attack vector harder. These build systems= don't have release tarballs with auxiliary files (e.g. [Meson's is very cl= ose to `git archive`][5]), nor do their DSLs allow writing files to the sou= rce tree. One could imagine a build/CI worker where the source tree is a re= ad-only bind-mount of a `git archive` extract, that might help defend again= st attacks of this specific design. It's also worth noting that Meson and Cargo use non-Turing-complete declara= tive DSLs for their build configuration. This implies there is an upper bou= nd on the [cyclomatic complexity][6]-per-line of the build script DSL itsel= f. That doesn't mean you can't write complex Meson code (I have), but it en= ds up being suspiciously long and thus clear something complex and out of t= he ordinary is being done. Of course, this doesn't make the build system any less complex, but project= s using newer build systems seem easier to secure and audit than those usin= g overly flexible build systems like Autotools and maybe even CMake. IMHO u= sing a late-model build system is a relatively low technical hurdle to over= come for the benefits noted above, switching should be considered and in a = positive light. (For context: my team recently switched our main C/C++ project from Autotoo= ls to Meson. The one-time refactor itself was an effort, but after that we = got back up to speed quickly and we haven't looked back. Other projects may= have an easier time using an unofficial port in the [Meson WrapDB][7] as a= starting point.) -Jonathon [1]: https://mesonbuild.com/External-commands.html [2]: https://cmake.org/cmake/help/latest/command/execute_process.html#execu= te-process [3]: https://cmake.org/cmake/help/latest/module/ExternalProject.html [4]: https://doc.rust-lang.org/cargo/reference/build-scripts.html [5]: https://mesonbuild.com/Creating-releases.html [6]: https://en.wikipedia.org/wiki/Cyclomatic_complexity [7]: https://mesonbuild.com/Wrapdb-projects.html --=-XSS2Mvf0VfozMJp2dJX0--