From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-bounces+public-inbox=simark.ca@sourceware.org>
Received: from simark.ca
	by simark.ca with LMTP
	id aJ42LNpoDGaOkyAAWB0awg
	(envelope-from <gdb-bounces+public-inbox=simark.ca@sourceware.org>)
	for <public-inbox@simark.ca>; Tue, 02 Apr 2024 16:21:46 -0400
Authentication-Results: simark.ca;
	dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=WPomU6Gu;
	dkim-atps=neutral
Received: by simark.ca (Postfix, from userid 112)
	id AFFA81E0C0; Tue,  2 Apr 2024 16:21:46 -0400 (EDT)
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by simark.ca (Postfix) with ESMTPS id 967651E030
	for <public-inbox@simark.ca>; Tue,  2 Apr 2024 16:21:44 -0400 (EDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id F032F3884520
	for <public-inbox@simark.ca>; Tue,  2 Apr 2024 20:21:43 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F032F3884520
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1712089304;
	bh=Nt77fcHwTS6sWcYHJv+AOq0ZExIf/2/x2/qWmsaFP7w=;
	h=Subject:In-Reply-To:Date:Cc:References:To:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=WPomU6GuERxrVuoset1CaZd8W+KNqbBrTCs0I0eh6PcMIfFZ8IvWSKc2iZZHRG9Gv
	 F6i2PkQ7TZZm+zJFVxp+HTNcQ7w7BE/zLHhPD6BQFkAxLH4E+ejxFgFBM5mL7uPo87
	 sQZfcjEvt/s8ZFOkfJoPa5eYgyzkXyQnKXGTKp2U=
Received: from resqmta-a2p-658781.sys.comcast.net
 (resqmta-a2p-658781.sys.comcast.net [IPv6:2001:558:fd01:2bb4::9])
 by sourceware.org (Postfix) with ESMTPS id 2B3CE386102F
 for <gdb@sourceware.org>; Tue,  2 Apr 2024 20:20:06 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2B3CE386102F
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2B3CE386102F
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712089207; cv=none;
 b=OTT9WnQYi22LiYSgTB2fuvzmB6SMdgPK0kvytLtbKpfMMVsZFdNft7A7i7FyCk0vFiD95ux4qZSKVcjvlazBK7sb9LPUtlQSwy2+0dHKrmQl/lHg3hp8SKD239ePW+x81CpgtwAyjxvnlpDE+3sNGA+srYWC8lY8IVn7sAiXIbM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1712089207; c=relaxed/simple;
 bh=coDjvlKCghEDpWgzXS/1CJs2r/889+1YAMQcBPRUA2U=;
 h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To;
 b=g3T+W3VRH2fed7s7XAwTWG9TJHA8782FyrE6hVd+q1qcoLZkHgiUKfTU7Lx5AIKRtAFU7JSNR+W8wu1s1DKEjneFzStD+jmS8uzEpM5JjTxgh5Or9V/z5LFIjy48D9am/kge2bxkJthxuVFgr2ySp+kkI9sDghr8dCIu2mM8Xec=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from resomta-a2p-646966.sys.comcast.net ([96.103.145.238])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
 (Client did not present a certificate)
 by resqmta-a2p-658781.sys.comcast.net with ESMTPS
 id rjOHrtNhVatj0rkc1rgP38; Tue, 02 Apr 2024 20:20:05 +0000
Received: from smtpclient.apple ([73.60.223.101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
 (Client did not present a certificate)
 by resomta-a2p-646966.sys.comcast.net with ESMTPSA
 id rkbxrnEGAVDkArkbyrUOPJ; Tue, 02 Apr 2024 20:20:05 +0000
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
In-Reply-To: <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
Date: Tue, 2 Apr 2024 16:20:01 -0400
Cc: Sandra Loosemore <sloosemore@baylibre.com>, Mark Wielaard <mark@klomp.org>,
 overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org,
 gdb@sourceware.org, libc-alpha@sourceware.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FC0B14DF-0B05-4896-B70F-7D994961D5C2@comcast.net>
References: <20240329203909.GS9427@gnu.wildebeest.org>
 <20240401150617.GF19478@gnu.wildebeest.org>
 <fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com>
 <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
To: Paul Eggert <eggert@CS.UCLA.EDU>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
X-CMAE-Envelope: MS4xfGtIo99Y13JUUixE4xyi3dLeif45FMMHaCuCmS492P5CvHSKkEdHY5yZUaEGhV5XGbh70dWkX+pYbOIQtGSLA6Zb469Hk4phbReV2q1Rr4kI3KxgY/1N
 SCR9Z7tewtcAOgVw20z9hgi9MzddC6OYH2GdnI/upp4pJt6n6hGm7HK0ik8gNAfG8E978OwLD+paiFKP0c8RLmUrs114ceSWEHafcHJU/O1EGDymSkcE8U7p
 l3RzxmXuy5fYkISOjA1+CGadB11oiHuDPmVisAj7e2N70y/54/NO2E4wwpGDjuZ2yiBqL/Wb3cFKGblXQMkcPP9tf4VAVAuLnPaMzA3gYkS+xxTCmiI31Wez
 eyJbJejwVEmuN7C/wngasPt2vBqNnCZP5/vVmlkiFHqTnuWc7n4Ke7nHanowV/gc5pobK8bh
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,
 SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gdb@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gdb mailing list <gdb.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb>,
 <mailto:gdb-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb/>
List-Post: <mailto:gdb@sourceware.org>
List-Help: <mailto:gdb-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb>,
 <mailto:gdb-request@sourceware.org?subject=subscribe>
From: Paul Koning via Gdb <gdb@sourceware.org>
Reply-To: Paul Koning <paulkoning@comcast.net>
Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org
Sender: "Gdb" <gdb-bounces+public-inbox=simark.ca@sourceware.org>



> On Apr 2, 2024, at 4:03 PM, Paul Eggert <eggert@CS.UCLA.EDU> wrote:
>=20
> On 4/2/24 12:54, Sandra Loosemore wrote:
>> Do we to harden our process, too, to require all patches to be signed =
off by someone else before committing?
>=20
> It's easy for an attacker to arrange to have "someone else" in =
cahoots.
>=20
> Although signoffs can indeed help catch inadvertent mistakes, they're =
relatively useless against determined attacks of this form, and we must =
assume that nation-state attackers will be determined.

Another consideration is the size of the project.  "Many eyeballs" helps =
if there are plenty of people watching.  For smaller tools that have =
only a small body of contributors, it's easier for one or two malicious =
ones to subvert things.

Would it help to require (rather than just recommend) "don't use root =
except for the actual 'install' step" ?

	paul