Conversation

Notices

1. Embed this notice
   Matthew Garrett (mjg59@nondeterministic.computer)'s status on Saturday, 30-Mar-2024 06:36:42 JST Matthew Garrett

   Being less flippant about this - the xz backdoor relied on a line that was present in the tarball release, but not in the git repo. Do we have any infrastructure for validating this kind of thing? (It's expected that the tarball would contain things that aren't in git - for example, the configure script doesn't exist in git, but is expected to be in the release. The problem is that extra code was injected into the configure script after it was generated)

   • Embed this notice
     mcc (mcc@mastodon.social)'s status on Saturday, 30-Mar-2024 06:36:40 JST mcc

     in reply to

     @mjg59 Like I look at this and the problem I see is not "you can use M4 to inject code into a tarball from github" but rather "our entire supply chain is a hodgepodge of dissimilar parts awkwardly gasketed together, and someone found one of the many parts of that supply chain that is out-of-sight/confusing enough that a Bad patch could be put there without anyone noticing for quite some time"

   • Embed this notice
     Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Saturday, 30-Mar-2024 06:36:40 JST Erin 💽✨

     in reply to

     • mcc

     @mcc @mjg59 One thing thats sort of clear to me from this is that we should strongly encourage projects to move away from Autotools

     Its really the only common build tool where a repository checkout is not by itself buildable and commonly (a friend has been fighting with the autoconf based build systems of both GnuTLS and LibreSSL lately) hard to make buildable

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     mcc (mcc@mastodon.social)'s status on Saturday, 30-Mar-2024 06:36:41 JST mcc

     in reply to

     @mjg59 It seems like one problem is it would be legitimately difficult to validate this without introducing some sort of uniform build/packaging process to audit in the first place.

     (I guess you could look at effects, and specifically test whether the tarball/thing in package repo is different from the source, and compare against an approved list of intentional, inspected late patches for the cases where you want behavior like this?)

   • Embed this notice
     Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Saturday, 30-Mar-2024 06:44:57 JST Erin 💽✨

     in reply to

     • mcc
     • Erin 💽✨

     @mcc @mjg59 I think a good package linter for distros to introduce would be that sources come from git checkouts/archives

     Haelwenn /элвэн/ :triskell: likes this.