From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-bounces+public-inbox=simark.ca@sourceware.org>
Received: from simark.ca
	by simark.ca with LMTP
	id vi+4Ap4RF2YeiioAWB0awg
	(envelope-from <gdb-bounces+public-inbox=simark.ca@sourceware.org>)
	for <public-inbox@simark.ca>; Wed, 10 Apr 2024 18:24:30 -0400
Authentication-Results: simark.ca;
	dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=YXXFIyHk;
	dkim-atps=neutral
Received: by simark.ca (Postfix, from userid 112)
	id E9D5C1E0C0; Wed, 10 Apr 2024 18:24:29 -0400 (EDT)
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by simark.ca (Postfix) with ESMTPS id C93F91E030
	for <public-inbox@simark.ca>; Wed, 10 Apr 2024 18:24:27 -0400 (EDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 8A06139730E8
	for <public-inbox@simark.ca>; Wed, 10 Apr 2024 18:50:26 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8A06139730E8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1712775026;
	bh=Q5LDJnb4LFx30S6C+4hoUoTlgCCKcD9SWTdcOg1SP/Y=;
	h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=YXXFIyHkoydI7Oc0DGm1NKvFEjhEJ/8RPMPHcKcZo99cCUnVZVIE9StyvgTPel05T
	 fEoRZrzlYW/TYFyEwAsB8Bu2a2sp/yOOPyh6kbbyH0AyTJWc9CDWFtvH9+XB+QXxcG
	 AAHMTUD+bqS1JVbAP6YDFV3LyOax1svxOkEgbWgc=
Received: from mail-vk1-xa2b.google.com (mail-vk1-xa2b.google.com
 [IPv6:2607:f8b0:4864:20::a2b])
 by sourceware.org (Postfix) with ESMTPS id 160A03870876;
 Wed, 10 Apr 2024 18:47:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 160A03870876
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 160A03870876
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712774883; cv=none;
 b=F3O3TY/MOf+/xC/oLNwmLuepZ9XQ8ORUAwLCw/lNgADVOkz1QX7+zEX+a4EWWN33TsjC0G4x5ZwwZX3E1IP4Bj2Be5bsTPoE/GOM6kauNPRj4fYRq5c7a/bullRVLs7+J0fA7WWBgaphftd+QvkVTR+FSHQt2FrO9I2KI05uWYg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1712774883; c=relaxed/simple;
 bh=qAyZ7AsL7qtwcAQoTFqH1wrJtT58A/wvUUWYdB9RGuk=;
 h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
 b=C8xSERMUf7LGvELLLGAYSyjDZO0vjRqdZEJX/A97IzXnHdUd+UyAzQAJw17Vt/w1dR2DkM7Agf+H/ljqtZYqKnCOgxPCswMes6J2VyWOL21V44Dc5OyNk3BL1/LUjosbgSs9pz8GJ/V3yFsBxCfYMAUb6bpggwB6g+mZDWQi6QM=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-vk1-xa2b.google.com with SMTP id
 71dfb90a1353d-4dac88c79f2so1478065e0c.1; 
 Wed, 10 Apr 2024 11:47:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712774870; x=1713379670;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=8JTA1ryzK0+I00+m6LayfdgCue/uytdy0NMVrGQDV80=;
 b=UJiyFqH2O11tQhnU2TEgASIjR7G+qZdtGepNCnC5Lod3cN6rfp1PdD2YI7LUg9OPwZ
 iNw8QT/m5mpPhYTspyKkk2CMAOlTlwcGY88qhNoF46UrAZ8wLjOVSB4ZVVJO5Vmhs2+i
 prjMyyWE+fgWgw0iXTtPEOS5VOFAuE3jraR+VmzGe8dr/TBTiIL8TszzVrB1ntcS7Db4
 xTHdmmsrRkUvDY9PmxfCHHBW/ck97k07sdqBR9H7YDQYo13XcB32OIpoUjpEozE5pIg+
 Z/mD7lR04rkzXRwRkBU2IvjLBtv3X1BA0uUl1ISnoa/nhBoljN7n5tM/egNhRHrLXGqT
 eUYQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCV2dYIO24cJo8TvWzsXFKP5Qa2L7klee5HckMP/vAOt7W6FP2IjT+G2LcAQWTrNXLmmPoxOJJ7uUxts8zHXT7c+xQt2eefBAyQ3hQmhxoX9D6TEqwvmIs+iKQX730oXhUCzjUPHL54YB1k3iuJ5v8LmMxHNRkzB
X-Gm-Message-State: AOJu0YwYUCahPBGBCRd6InTiWntjDuynXkV5wtpNyOVKE4bF+39Yuzog
 fgafCwe1wcVwBrJd4dKhktbLqxJ0MAY1HUXli0t7D690iBI8/Ibde6fpoi1uP7jjNXw8ifcXYbl
 nPzY2WXG5p2zAT9v8CfKAsOZiC2k=
X-Google-Smtp-Source: AGHT+IGV0M7EebTJTgucTZNY6XGCrhBA2OqhYH2TOvNj+lobdlpvb68woOEmsJZmJ3UYm5IwIHgkb8nlT5OeLvL7WXk=
X-Received: by 2002:a05:6122:4582:b0:4da:aabe:6f6c with SMTP id
 de2-20020a056122458200b004daaabe6f6cmr4028839vkb.7.1712774869976; Wed, 10 Apr
 2024 11:47:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
 <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
 <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de>
 <cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
 <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de>
 <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com>
 <87h6gazafa.fsf@igel.home>
 <CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com>
 <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net>
 <6a1a83fb7f28e876bc9db6777f4bbced0e3e1c49.camel@gmail.com>
 <ZhadlPZZtCq9IDZv@elastic.org>
In-Reply-To: <ZhadlPZZtCq9IDZv@elastic.org>
Date: Wed, 10 Apr 2024 11:47:37 -0700
Message-ID: <CAO_N0o3_zpW1AnzhrXJCsvmmji7cj2pab2sPN70Ha1iB7NbhrA@mail.gmail.com>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
To: "Frank Ch. Eigler" <fche@elastic.org>
Cc: Overseers mailing list <overseers@sourceware.org>,
 Paul Koning <paulkoning@comcast.net>, 
 Andreas Schwab <schwab@linux-m68k.org>, Michael Matz <matz@suse.de>,
 Martin Uecker <uecker@tugraz.at>, 
 Ian Lance Taylor <iant@golang.org>, Paul Eggert <eggert@cs.ucla.edu>, 
 Sandra Loosemore <sloosemore@baylibre.com>, Mark Wielaard <mark@klomp.org>,
 gcc@gcc.gnu.org, 
 binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: gdb@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gdb mailing list <gdb.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb>,
 <mailto:gdb-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb/>
List-Post: <mailto:gdb@sourceware.org>
List-Help: <mailto:gdb-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb>,
 <mailto:gdb-request@sourceware.org?subject=subscribe>
From: Jonathon Anderson via Gdb <gdb@sourceware.org>
Reply-To: Jonathon Anderson <anderson.jonathonm@gmail.com>
Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org
Sender: "Gdb" <gdb-bounces+public-inbox=simark.ca@sourceware.org>

On Wed, Apr 10, 2024, 07:09 Frank Ch. Eigler <fche@elastic.org> wrote:

> Hi -
>
> > In Autotools, `make dist` produces a tarball that contains many
> > files not present in the source respoitory, it includes build system
> > core files and this fact was used for the xz attack. In contrast,
> > for newer build systems the "release tarball" is purely a snapshot
> > of the source repository: there is no `cmake dist`, and `meson dist`
> > is essentially `git archive` [...]
>
> For what it's worth, not every auto* using project uses "make dist" to
> build their release tarballs.  If they can get over the matter of
> including auto*-generated scripts being located in the source repo,
> then indeed a "git archive" is sufficient.


This is very true, however a few words of caution: IME this is a
maintainability nightmare. Fixing patches that forgot to regenerate,
regenerating on rebase, confirming everything is up-to-date before merge,
etc etc. It can be handled, I have, but it was painful and
time-consuming.The hardest part was ensuring everyone was actually running
the "right" version of Auto*. (
Did you know Debian ships a different version of the *.m4? That caused more
than a few hours lost to confusion:
https://sources.debian.org/src/autoconf/2.72-2/debian/patches/add-runstatedir.patch
)

To make matters worse, this behavior adds a lot of near-duplicate code and
large unreadable changes to patches. For my team that meant we didn't often
read the generated parts of patches with build system changes, and
definitely not close enough to detect any malicious injections. Which
should make everyone here squeamish given the recent xz attack.

Thanks,
-Jonathon

>