[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
|
From: |
Eric Blake |
|
Subject: |
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor |
|
Date: |
Tue, 2 Apr 2024 16:37:47 -0500 |
|
User-agent: |
NeoMutt/20240201 |
[adding in coreutils, for some history]
On Sat, Mar 30, 2024 at 12:55:35PM -0400, Eric Gallager wrote:
> I was recently reading about the backdoor announced in xz-utils the
> other day, and one of the things that caught my attention was how
> (ab)use of the GNU build system played a role in allowing the backdoor
> to go unnoticed: https://openwall.com/lists/oss-security/2024/03/29/4
I'm also wondering whether the GNU system should recommend using zstd
instead of or in addition to xz for compression purposes. Automake
gained support for dist-zstd back in 2019 [1], but I'm not sure how
many projects are using it yet.
[1] https://git.savannah.gnu.org/cgit/automake.git/commit/?id=5c466eaf
Furthermore, I was around when GNU Coreutils kicked off the initial
push to support dist-xz (initially named dist-lzma, before a change in
upstream [2]) because of its benefits over over dist-bz2 (compresses
smaller, decompresses faster) [3][4], and even when it ditched
dist-gzip leaving dist-xz as its ONLY release option [5][6], before
needing to be reinstated for bootstrapping Guix [7][8].
[2] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b52a8860
[3] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b75e3b85
[4] https://lists.gnu.org/r/bug-coreutils/2007-10/msg00165.html
[5] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=e1c589ec
[6] https://lists.gnu.org/r/coreutils/2011-10/msg00000.html
[7] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=516cdf38
[8] https://lists.gnu.org/r/coreutils/2020-02/msg00042.html
At any rate, it is now obvious (in hindsight) that zstd has a much
larger development team than xz, which may alter the ability of zstd
being backdoored in the same way that xz was, merely by social
engineering of a lone maintainer.
It is also obvious that having GNU distributions available through
only a SINGLE compression format, when that format may be vulnerable,
is a dis-service to users when it is not much harder to provide
tarballs in multiple formats. Having multiple tarballs as the
recommendation can at least let us automate that each of the tarballs
has the same contents, although it won't make it any more obvious
whether those contents match what was in git (which was how the xz
backdoor got past so many people in the first place).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org
- Re: GCC reporting piped input as a security feature (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), (continued)
- Re: GCC reporting piped input as a security feature (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Jacob Bachmeyer, 2024/04/06
- Re: GCC reporting piped input as a security feature (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Richard Stallman, 2024/04/08
- Re: GCC reporting piped input as a security feature, Jacob Bachmeyer, 2024/04/08
- Re: GCC reporting piped input as a security feature, Jan Engelhardt, 2024/04/09
- Re: GCC reporting piped input as a security feature, Jacob Bachmeyer, 2024/04/09
- Re: GCC reporting piped input as a security feature, Zack Weinberg, 2024/04/11
- Re: GCC reporting piped input as a security feature, Jacob Bachmeyer, 2024/04/12
- Re: GCC reporting piped input as a security feature, Alan D. Salewski, 2024/04/09
- Re: GCC reporting piped input as a security feature, Jacob Bachmeyer, 2024/04/09
- Re: GCC reporting piped input as a security feature (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Richard Stallman, 2024/04/08
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor,
Eric Blake <=
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bob Friesenhahn, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Karl Berry, 2024/04/02
- Re: compressed release distribution formats (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Jacob Bachmeyer, 2024/04/02
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/02
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/02
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/02
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/02