Sourceware mitigating and preventing the next xz-backdoor
Sam James
sam@gentoo.org
Tue Apr 9 22:00:39 GMT 2024
Jonathon Anderson via Gdb <gdb@sourceware.org> writes:
> On Tue, 2024-04-09 at 16:11 -0400, Paul Koning wrote:
>>
>> On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc <[gcc@gcc.gnu.org](mailto:gcc@gcc.gnu.org)> wrote:
>>
>> > CMake has its own sandbox and rules and escapes (granted, much more of
>> > them). But regardless, the injection code would be committed to the
>> > repository (point 2) and would not hold up to a source directory mounted
>> > read-only (point 3).
>>
>> Why would the injection code necessarily be committed to the
>> repository? It wasn't in the xz attack -- one hole in the
>> procedures is that the kits didn't match the repository and no
>> checks caught this. I don't see how a different build system would
>> cure that issue. Instead, there needs to be some sort of audit that
>> verifies there aren't rogue or modified elements in the kit.
>
> In Autotools, `make dist` produces a tarball that contains many files
> not present in the source respoitory, it includes build system core
> files and this fact was used for the xz attack. In contrast, for newer
> build systems the "release tarball" is purely a snapshot of the source
> repository: there is no `cmake dist`, and `meson dist` is essentially
> `git archive`
> ([docs](https://mesonbuild.com/Creating-releases.html)). Thus for the
> injection code to be present in the release tarball, it needs to have
> first been checked into the repository.
(Of course, one could modify it after, but the point here is that it's by
design reproducible so any differences are suspicious, just to be
clear.)
>
> In fact, packagers don't *need* to use the tarballs, they can (and
> should) use the Git history from the source repository itself. In
> Debian this is one workflow implemented by the popular
> git-buildpackage
> ([docs](https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.import.upstream-git.html)). The
> third-party package manager
> [Spack](https://spack.readthedocs.io/en/latest/packaging_guide.html#git)
> clones directly from the source repository. Others may have support
> for this as well, this isn't a novel idea.
>
> -Jonathon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 377 bytes
Desc: not available
URL: <https://sourceware.org/pipermail/binutils/attachments/20240409/6d2f622b/attachment.sig>
More information about the Binutils
mailing list