From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id FLS1I0WkDWYSzyEAWB0awg (envelope-from ) for ; Wed, 03 Apr 2024 14:47:33 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=jea4uAxF; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 836201E0C0; Wed, 3 Apr 2024 14:47:33 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 6E4B31E030 for ; Wed, 3 Apr 2024 14:47:31 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6A429384772F for ; Wed, 3 Apr 2024 18:47:30 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6A429384772F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1712170050; bh=eiJOJdFyxXUsBdBafgsrTv9+Bd2WImzz/iIjjQh6kX4=; h=Subject:To:Cc:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=jea4uAxFtmx2Iho5FGeyOPEET8hOifwgpg5+yEQNPQAIWZ4Wn4mC8bElF/t6L24+u 6b0VRXxkoz2SUTbtV5mwTZOMnoSVbZjPUtYfzSfmV/55haO0UGZVp8nzyoTYOB9W56 RuoPImC3erEQNewkwoCGQCB1AMT2t6xL9EbBpMNg= Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) by sourceware.org (Postfix) with ESMTPS id E3A263847718; Wed, 3 Apr 2024 18:46:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E3A263847718 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E3A263847718 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712170001; cv=none; b=LeQWRPt/55AteHv8itaMc94embvKSfwU8mq0ACtTjBNeX3nFUiaOATMrwE3kjjUQsGOmUMiB5M1sKkTQrkI3klGzZaOjOsOyuWdjdWhznOs20CJ2eEi/cPcMMAQHABBNP6CW7mLTLwB7TWnwGsTx7fhV3t9qwbuebVpOrr/UEO8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712170001; c=relaxed/simple; bh=zA44X0tUfkNm5w6SuTgub++TkTygwVePaDUT4qC6/Ic=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=vas2NdnzwrTlQCnJX1OKVptNK5x6v97Put4yUgYMWFhMW5xW2D61LDl11xZ0PdT5o2PMdk64ivNsZW48IgpiHz/bBeG5Jt/wrFwYWb+GmCUrB9GlCAHWdbvFPGduvdbRUJd0rULtVeA0vjcrnIJJrmy5qiEOhmR6ezhX+JrYpEI= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-222b6a05bb1so111437fac.3; Wed, 03 Apr 2024 11:46:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712169997; x=1712774797; h=mime-version:user-agent:autocrypt:references:in-reply-to:date:cc:to :from:subject:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=McdHe9vzcTXk9tz43Izn8d3ZdXWq/V/k4prObYEhBvI=; b=BFAQViKPocC9jWxF4IyYstUsX6UmT7AQ22PI7Kb+Z0OBD8W5AyUEgbSVQzMKL8GsrG KDWoWcwpI9vf9ZQqniL4gOmGWtPlwpd/oLHKg3/4WN7otpwKyvvfglyv39WpyEaAVYeP Oeii5nMBtV8mQl0e6hj+AyS1L1pvCXAnkT0iIERY6X1VQdpe1LuqqGLB8V/eO43MSamb KQFVxDStok2ZHdDefgUV1EYivFlnTTPzSdS6NsXgceFq6sfGWVOxhVmFhvsD8Vr6s7Dz +SbHyNnXfeLYWcdVT6z3R+aJodL0dakW8vUmw2zPi0znNE0K1gShAnNswcTPnM8ktTPz tlEA== X-Forwarded-Encrypted: i=1; AJvYcCXn2JfxW03RJEqm2zHgC8Fx8V6d8jiWgRWYwNDHwdzhwTQPi1KZ5rKIi3X1WTGlx5H0QFwiizrdzUM7Zq5bH6+uXT9mtDtiGYG5OtmTeTRoY1723K1zujx8z7eqn6YpRUu+95lsuikMYvFQc+NiHW3QsQ+zyxM98WI3l9hzzl2P1rXI1yLB23cuhmTdxKKA2Ss= X-Gm-Message-State: AOJu0YyL4eGeZK5K74NasKrOoHpBHrL43CSNNk/HpDjkbv6mu/cxxmQY ElgkuFLWmh4LzW69BU9bIatQijS5zIfXhw5eh/qm7/JXA4RUut2h5RhfWpEUqvA= X-Google-Smtp-Source: AGHT+IGHus6NT8PqVMYMXq4VASBbPh4FARDA+7JDcNCpowEDornBprWwEbxFRElsdFK+52emgiXtrA== X-Received: by 2002:a05:6870:95a7:b0:22e:1f18:6e96 with SMTP id k39-20020a05687095a700b0022e1f186e96mr207805oao.14.1712169997286; Wed, 03 Apr 2024 11:46:37 -0700 (PDT) Received: from ?IPv6:2601:2c3:c37e:13fc:c573:da09:cc3b:3d59? ([2601:2c3:c37e:13fc:c573:da09:cc3b:3d59]) by smtp.gmail.com with ESMTPSA id pn23-20020a0568704d1700b0022ea6353216sm185655oab.39.2024.04.03.11.46.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 11:46:36 -0700 (PDT) Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Michael Matz , Martin Uecker Cc: Ian Lance Taylor , Paul Koning , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Date: Wed, 03 Apr 2024 13:46:36 -0500 In-Reply-To: <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> Autocrypt: addr=anderson.jonathonm@gmail.com; prefer-encrypt=mutual; keydata=mQINBFzK/e0BEADB++YxxCfflgwNJYptT/Vx9yBPseMSXuDKrw0NSBN8+H50vxsdKq9WFeSyjfzsznSj7YNUy3ltmNb5xd+dKmmCPaM3s9WN0dfIeyKY1XcufbdEj0n/f+QjYV7DD1R1o5A2NwH+gQozNKuUsFyXajT3OsjyXXubNsdvjKz8eXgWAmS3WZ8bQP00VGP0t8hYkVpu9AJN2bvy2lML5lo6/JwDAa8gBjBd3CBaDVPhVdPNX7rkzfRsWGvIbUKE6tWLAayOmsSM39KXugNeXoDzFNabCx4MZjMUeNsOTGzor1rpkZl8IWkPvaVAa7xl8QCFuOksv5QQTpt2qWNpUKxw7oblQ10f3oFf6jGM4CZpCYM6nHGAPSxlfJKHQcop3+puA0OPmIbs9ObSDk25b2GkVqNEOn5dsZ4Ymb717AFZSBXoLA2izJJLmnqhvAxnQI+idteCdtxnQNYOfML6I05vvne+koUEE5qcnMAMEovQm4Lw75N99JRWqeOU53w1xBS/XD7Fhe/tf5gQLTvhWJw8CnBf0KOam2hOpvw9TERFOE4WGZ4STMSwnWTE6ev3Z6HmraSmrGCp7La5JuxLodOfBGrYF2Jy3+0ibPRXwc+nH2MYeWUA/mIGS2+WrHuJnrNPAFmjF3/ESWq2x1/JfO+dL4hQO0VWZ+saxnTv3J4zYjjHEwARAQABtDpKb25hdGhvbiBBbmRlcnNvbiAoYmx1ZTQydSkgPGFuZGVyc29uLmpvbmF0aG9ubUBnbWFpbC5jb20+iQJbBBMBCgBFAhsBCQsJCAcNDAsKAwUVCgkICwUWAgMBAAIeAQIXgAIZARYhBGbG9u3rLEbJXuewBzYJ3FAvdRSjBQJiZVHFBQkJXLrYAAoJEDYJ3FAvdRSjsGQP/0LrpKkq4beEW 4l3eo6B4F8G1Q3Um38aL7AMf8s0K1flAzqDCw8A1GyB4EFAweRpzQ23V2EzVbxYKZVBY YtNhx1AIhZFMsslE9lzBGsAuJgEJAMcPRYmQMM2+BVFcOIafCjl3pVUODrP9wqKDlpgnkdV4ipQMj3KWqZCNFns23PTI3+JlpGRyyBrvEpZ8WtIsm1JHCW3+r72wbFCrsZ6zziR6U/rr6QKBrPZkfUO7tUKCp0tkIMu8nLwkJoAoTVov2bgmuPaPnquRALxCefPKbujKFzcCH+PFfkjo+iciUQBk/gxsI2w8+pU0WeFn5C7mTyiYI1RK7+06umO+XIdaCJ5o0S6WhxBLSyYcxQqdUzO9zydRwYZqScm6InJKJ/HzTjFQEjlkjB9CpFl270CNhEFbGvOliL4pxrNpPcPktE9T0D2uab+ka36QW03teQeSPlkEoc2ci0uGftbRtIWuRWulVNGwlU6Aah52uFyFAFrYLVBjHe1AQPToDoHKYHNEcrE0FwATSolCCjRMiFgacJ02UNvCFcWnjbI8BN2VjA7mlEGVhxvw/n6nuXP6CVwGABJ2SxQvHYCnXIRP1+9bf7Wm2h2KqplMV1VaTlKFsL1H6R5sqyHgbOho9a6qx7M0RA7WPbGlN1kmY10FSIqtSNsXVxYHMXig3OtWwDc+YwVtCZKb25hdGhvbiBBbmRlcnNvbiA8amFuZGVyc29uQHJpY2UuZWR1PokCWAQTAQoAQgIbAQkLCQgHDQwLCgMFFQoJCAsFFgIDAQACHgECF4AWIQRmxvbt6yxGyV7nsAc2CdxQL3UUowUCYmVRzAUJCVy62AAKCRA2CdxQL3UUo8CvEACK7aD9HSwdAlcF3il3KZRYhkRZaTXyhUmQ7FpJd3phqe0POBDf19MwTZlS/nrgGwCl4yIerumiHp3vLktFusS/rboj1ggrLd0CqEvQ7wXK8W2agprquNSSodB88n5D3QNpZVEnsTJq4wTqyjrao+Hwa px7gFTOzYM3Zum8QC6EGLVrEajIOhUGsIsHHHkG9uYAyVpJ7goFeKyspR31esGJ9za1ki h6qqnSAlSGuGVFZWtTKF7VhqjPG5INl/QXqZF8XjQkFaNbnO6rXoarhXvGg366tW7BQY3wmcJqzdEBCZTIZWQ1rdgp1M19/wD4kk2xsSJZYwmlKXaiEmnnsqB03GlauB0wlbrzfFJMwlggArQUrzgsyev2klMWm7anh5ELhkqPxjGH++4uqfptwk2BQATrNK4L8AKPPK3wOe9GJQJ90WEleEK8NsO3uN7KAhDexWzBvrcbyYC3RkgyvaIdy16UwMmvOuPxvN5EaJiIcBV30h5eLZC1PMvMusYbu8Wx9Y64PShbpP96NC5QPXcHHmhiuRYJUKxvoaeCVbuVgEZMTKSOHngoaktcDjq0vWzoQjSvbAoQhhScbkpvKKAuGir19fQ0isYMRqT7tG6zYZXfsqvup1zF2YVlQODajoN6dVVlQP7mxttZfWfwKBZDvC7W4Z7sdquambP7ind4NA== User-Agent: Evolution 3.50.3-1+b1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_SBL_A autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Jonathon Anderson via Gdb Reply-To: Jonathon Anderson Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" Hello all, On Wed, 2024-04-03 at 16:00 +0200, Michael Matz wrote: > > My take a way is that software needs to become less complex. Do=C2=A0 > > we really still need complex build systems such as autoconf? > > (And, FWIW, testing for features isn't "complex". And have you looked at= =20 > other build systems? I have, and none of them are less complex, just=20 > opaque in different ways from make+autotools). Some brief opinions from a humble end-user: I think the key difference here is that Autotools allows arbitrarily genera= ted code to be executed at any time. More modern build systems require the = use of specific commands/files to run arbitrary code, e.g. CMake (IIRC [`ex= ecute_process()`][2] and [`ExternalProject`][3]), Meson ([`run_command()`][= 1]), Cargo ([`build.rs`][4]).\ IMHO there are similarities here to the memory "safety" of Rust: Rust code = can have memory errors, but it can only come from Rust code declared as `un= safe` (or bugs in the compiler itself). The scope is limited and those scop= es can be audited with more powerful microscopes... and removed if/when the= build system gains first-class support upstream. There are other features in the newest build systems listed here (Meson and= Cargo) that make this particular attack vector harder. These build systems= don't have release tarballs with auxiliary files (e.g. [Meson's is very cl= ose to `git archive`][5]), nor do their DSLs allow writing files to the sou= rce tree. One could imagine a build/CI worker where the source tree is a re= ad-only bind-mount of a `git archive` extract, that might help defend again= st attacks of this specific design. It's also worth noting that Meson and Cargo use non-Turing-complete declara= tive DSLs for their build configuration. This implies there is an upper bou= nd on the [cyclomatic complexity][6]-per-line of the build script DSL itsel= f. That doesn't mean you can't write complex Meson code (I have), but it en= ds up being suspiciously long and thus clear something complex and out of t= he ordinary is being done. Of course, this doesn't make the build system any less complex, but project= s using newer build systems seem easier to secure and audit than those usin= g overly flexible build systems like Autotools and maybe even CMake. IMHO u= sing a late-model build system is a relatively low technical hurdle to over= come for the benefits noted above, switching should be considered and in a = positive light. (For context: my team recently switched our main C/C++ project from Autotoo= ls to Meson. The one-time refactor itself was an effort, but after that we = got back up to speed quickly and we haven't looked back. Other projects may= have an easier time using an unofficial port in the [Meson WrapDB][7] as a= starting point.) -Jonathon [1]: https://mesonbuild.com/External-commands.html [2]: https://cmake.org/cmake/help/latest/command/execute_process.html#execu= te-process [3]: https://cmake.org/cmake/help/latest/module/ExternalProject.html [4]: https://doc.rust-lang.org/cargo/reference/build-scripts.html [5]: https://mesonbuild.com/Creating-releases.html [6]: https://en.wikipedia.org/wiki/Cyclomatic_complexity [7]: https://mesonbuild.com/Wrapdb-projects.html