From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id EEBeLP+6FWYveykAWB0awg (envelope-from ) for ; Tue, 09 Apr 2024 18:02:39 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=KdOcHrAk; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id A09A01E0C0; Tue, 9 Apr 2024 18:02:39 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 88DEF1E030 for ; Tue, 9 Apr 2024 18:02:37 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 04AB3388210F for ; Tue, 9 Apr 2024 22:02:37 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 04AB3388210F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1712700157; bh=xcHdvf+UK4N1d7Aepalc/gmh4Ruy2bpFnf/7kYT5tH4=; h=To:Cc:Subject:In-Reply-To:References:Date:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=KdOcHrAkb7uQmtNtynekWW7zrW9Q4T1hTx/+8tPE1quSL3gJ2tO5dsZItT6+wXCXY LFml101JdNGgBlOSe1V/WTrVx3Fo5UVuyF2YwCuK4VPx6UwjSPvOms2AKLCr9Tq1RF 5zdHCsKgb97ZQaMl2q97y5lsHDA+oK0KwXwFVp+w= Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) by sourceware.org (Postfix) with ESMTP id 27F5F3884518; Tue, 9 Apr 2024 22:00:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 27F5F3884518 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 27F5F3884518 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712700049; cv=none; b=TJmxu4fyAORMeF6yYoZdrcZubtj01Wgd0Y+rXOkS7sM+1ttoTR6SNLkg+ykZjuMzodWNQXURV2ekgZ470LU6eijM7cZUUiJtnse3kBYfxy9mzpIdFWRcvTM+S/KoJzDH4hXHxVTs89OdvSOuWzErAadyiTEpNzl83Qxsu8r1rrU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712700049; c=relaxed/simple; bh=xcHdvf+UK4N1d7Aepalc/gmh4Ruy2bpFnf/7kYT5tH4=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=pForK84wWyc7vps04leNGFnq9qc0Xcz8DHEZOq1/M77uQHsxV9LqNCmR5HJdqFWJL0F8jYVia8pLyXm2o5ysihDSTdz1xEbqWD+TRlzDpfsJXEKBos8aEPsUIGFM9tmbNv0lNhax6vPedO6j4s+sNDsAIgr+FJJIWJfFp8wFHqM= ARC-Authentication-Results: i=1; server2.sourceware.org To: Jonathon Anderson via Gdb Cc: Paul Koning , Jonathon Anderson , Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, libc-alpha@sourceware.org Subject: Re: Sourceware mitigating and preventing the next xz-backdoor In-Reply-To: <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com> (Jonathon Anderson via Gdb's message of "Tue, 09 Apr 2024 14:54:16 -0700") Organization: Gentoo References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com> User-Agent: mu4e 1.12.2; emacs 30.0.50 Date: Tue, 09 Apr 2024 23:00:39 +0100 Message-ID: <87pluyxkl4.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, RCVD_IN_DNSWL_LOW, SPF_HELO_PASS, SPF_PASS, TXREP, URIBL_SBL_A autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sam James via Gdb Reply-To: Sam James Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jonathon Anderson via Gdb writes: > On Tue, 2024-04-09 at 16:11 -0400, Paul Koning wrote: >> >> On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc <[gcc@gcc.gnu.org]= (mailto:gcc@gcc.gnu.org)> wrote: >> >> > CMake has its own sandbox and rules and escapes (granted, much more of >> > them). But regardless, the injection code would be committed to the >> > repository (point 2) and would not hold up to a source directory mount= ed >> > read-only (point 3). >>=20 >> Why would the injection code necessarily be committed to the >> repository?=C2=A0 It wasn't in the xz attack -- one hole in the >> procedures is that the kits didn't match the repository and no >> checks caught this.=C2=A0 I don't see how a different build system would >> cure that issue.=C2=A0 Instead, there needs to be some sort of audit that >> verifies there aren't rogue or modified elements in the kit. > > In Autotools, `make dist` produces a tarball that contains many files > not present in the source respoitory, it includes build system core > files and this fact was used for the xz attack. In contrast, for newer > build systems the "release tarball" is purely a snapshot of the source > repository: there is no `cmake dist`, and `meson dist` is essentially > `git archive` > ([docs](https://mesonbuild.com/Creating-releases.html)). Thus for the > injection code to be present in the release tarball, it needs to have > first been checked into the repository. (Of course, one could modify it after, but the point here is that it's by design reproducible so any differences are suspicious, just to be clear.) > > In fact, packagers don't *need* to use the tarballs, they can (and > should) use the Git history from the source repository itself. In > Debian this is one workflow implemented by the popular > git-buildpackage > ([docs](https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gb= p.import.upstream-git.html)). The > third-party package manager > [Spack](https://spack.readthedocs.io/en/latest/packaging_guide.html#git) > clones directly from the source repository. Others may have support > for this as well, this isn't a novel idea. > > -Jonathon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZhW6iF8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZDTqQEA9FUVNwgFIVhtVyrTsn9kuioFct9p5uOgicoJ JmXgPFQA/RjfvBuOQo9ElLuu3kG/wKnou6zdoT8W0W/WMk59fyED =Bd3Z -----END PGP SIGNATURE----- --=-=-=--