[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: backdoor injection via release tarballs combined with binary artifac
From: |
Ricardo Wurmus |
Subject: |
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) |
Date: |
Fri, 05 Apr 2024 09:39:33 +0200 |
User-agent: |
mu4e 1.12.2; emacs 29.3 |
Giovanni Biscuolo <g@xelera.eu> writes:
> Hello Ricardo,
>
> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Giovanni Biscuolo <g@xelera.eu> writes:
>>
>>> So AFAIU using a fixed "autoreconf -fi" should mitigate the risks of
>>> tampered .m4 macros (and other possibly tampered build configuration
>>> script)?
>>>
>>> IMHO "ignoring" (deleting) pre-built build scripts in Guix
>>> build-system(s) should be considered... or is /already/ so?
>>
>> The gnu-build-system has a bootstrap phase, but it only does something
>> when a configure script does not already exist. We sometimes force it
>> to bootstrap the build system when we patch configure.ac.
>>
>> In previous discussions there were no big objections to always
>> bootstrapping the build system files from autoconf/automake sources.
>
> But AFAIU the boostrap is not always done, right?
It is not. See guix/build/gnu-build-system.scm:
(if (not (script-exists? "configure")) ...)
> If so, given that there are no big objections to always bootstrap the
> build system files, what is the technical reason it's not done?
I don't think there is a technical reason. It's just one of those
things that need someone doing them.
>> Not using generated output is a good idea anyway and removes the
>> requirement to trust that the release tarballs are faithful derivations
>> from the autotools sources, but given the bland complexity of build system
>> code (whether that's recursive Makefiles, CMake cruft, or the infamous
>> gorilla spit[1] of autotools) I don't see a good way out.
>
> I guess I miss the technical details about why it's not possible to
> _always_ bootstrap the build system files from autoconf/automake
> sources: do you have any reference documentation or technical article as
> a reference, please?
I didn't say it's not possible. Someone's gotta start a branch and
build it all out. There may be some annoyance closer to the bootstrap
origins (because we may not easily be able to run an approximation of
autotools or even VCS tools closer to the bootstrap seeds), but I think
we're already using custom Makefiles in some of these cases to simplify
bootstrapping.
It's just work. Someone's gotta do it. It's probably not super
complicated, but given the large number of packages we have it won't be
fast.
--
Ricardo
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), (continued)
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai, 2024/04/12
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ludovic Courtès, 2024/04/12
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ricardo Wurmus, 2024/04/04
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Jan Wielkiewicz, 2024/04/05