Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

[Alexandre Oliva]

On Mar 30, 2024, Eric Gallager <egall@gwmail.gwu.edu> wrote:

> automake's `distcheck` target, whose entire purpose is to make it
> easier to verify that a distribution tarball can be rebuilt from
> itself and contains all the things it ought to contain.

> Recommending the `distcheck` target to a wider variety of users would
> help more projects catch mismatches between things a distribution
> tarball is supposed to contain, and things that it isn't. This would
> be a win for security and could help make it easier to catch future
> possible bad actors trying to pull a similar trick. What do people
> think?

Bluntly, I don't think it would help with security.  The attacker would
just have to disable or adjust the distcheck target to seemingly pass.

Relying on something in a code repository to tell whether the repository
is secure is akin to tying a dog with sausage.

For security proper, the verification code needs to be held elsewhere,
not compromisable along with the thing it's supposed to verify.

Analogously, you don't run a rootkit checker on the system that's
potentially compromised, because the rootkit may hide itself; you boot
off secure media and then use the tools in it to look for the rootkit in
the potentially-compromised system, *without* handing control over to
it.

-- 
Alexandre Oliva, happy hacker                    https://FSFLA.org/blogs/lxo/
   Free Software Activist                           GNU Toolchain Engineer
Disinformation flourishes because many people care deeply about injustice but
very few check the facts.  Think Assange & Stallman.  The empires strike back