From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id +Np2H+iqD2YhSwEAqHPOHw:P1 (envelope-from ) for ; Fri, 05 Apr 2024 09:40:24 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id +Np2H+iqD2YhSwEAqHPOHw (envelope-from ) for ; Fri, 05 Apr 2024 09:40:24 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=elephly.net header.s=zoho header.b=BzMIMZJE; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712302824; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=q4Vs3UM87L+uB2d4esgF1GDqYDuIVYzKraXlqEEtaZ4=; b=gUU0mCJhKL1zg6iLyJviDyQ/0KNHRJGHW0eOjpt5Bp5lqjDNQUwOmWoQw7kqU9qQSlFnVO tzZLgrRO1JKGJA/zHeen+N8rSDbUvPSu6eY0JD+D7zSECeh7ldVqBNA75A9pE8WL8PXWnB N8n7IJhmST3N1IieQxyukiTAzYFZs+bBEf26bo7OmLdShs4aasxn1XoqXWOpm22N+aogMC zOzFXfiFf1NOv09MeW9lkPzxGHChFIMrOE0zoxTbla4KIR191g4o7Go2sBJU8vvBNEYylo QpH4atpV4DuOrG95o/JrUNor0QvyV0BplBhqY2uVwSVotTh5pDTylfhrn5iOcw== ARC-Seal: i=2; s=key1; d=yhetil.org; t=1712302824; a=rsa-sha256; cv=pass; b=U/zCLM9ylstFYMYfgtJp+4GTNLyjOVaSc+pIPedntxYmoz8cU1JIIgFZZGTLrUfJm4Lkv2 KJiKKtNqLF8EHkBbMZPFIUySWIy9BcQ+ZqpGsYE2vmMgcR1ofkRmLcDRM5jHDq9xsEudmf 9kyH/BILtj5oe/SnuFQnDnljFXIct7L02B04SQYbrtixqExIJRLJz95jl7G8KZMEaARnE9 mlUZstgDD2sYwsHwk0HgkV/KQbdlwMeey5hbwVcuWjOetw1ug5Bcz/v2QdS1FwZf7YujZf 8D9aJLXdbn5EMY/6CbbQPmlMPgnNM/dO9DRV54vx5P3sybhZcN9kuVOYaivBtA== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=pass header.d=elephly.net header.s=zoho header.b=BzMIMZJE; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 520F43C848 for ; Fri, 5 Apr 2024 09:40:24 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rseAv-0005J4-JM; Fri, 05 Apr 2024 03:39:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rseAt-0005Ij-No; Fri, 05 Apr 2024 03:39:47 -0400 Received: from sender4-of-o51.zoho.com ([136.143.188.51]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rseAr-0006RP-BP; Fri, 05 Apr 2024 03:39:47 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1712302777; cv=none; d=zohomail.com; s=zohoarc; b=HGqTbJ/6VZ7fCJuVSmSMXGIBJtH6WwRzVmKoNL7rnqYqvuLWxR2RmAIN593EcosFJcNjn2J3Tkhjm9YLhWphWvEazClDuua9x9TIOqG3iitzQ9Imh/kyFYS8ZNtZgaXqfkSUUvCyVMAIXUH536Jr5WyKb6MWKZ2awauk5m+1YD0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1712302777; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=q4Vs3UM87L+uB2d4esgF1GDqYDuIVYzKraXlqEEtaZ4=; b=QEwnaL04GuJP1yOpbsXc+BgyzAE5uQDZEYRMF086ZPc4Yp7OzjHDdszBc+LvWRyFYc8g/uA9OnPSCQgJ+tLecQyJxxjJb3K5IR1Dqb2UiV6PuGzYbHhvO5cKFQuDkPxHPVjcC2OOtxye9PwcWDdYSMYiOYvKt4SXM8rPRa0FKsY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1712302777; s=zoho; d=elephly.net; i=rekado@elephly.net; h=From:From:To:To:Cc:Cc:Subject:Subject:In-Reply-To:References:Date:Date:Message-ID:MIME-Version:Content-Type:Message-Id:Reply-To; bh=q4Vs3UM87L+uB2d4esgF1GDqYDuIVYzKraXlqEEtaZ4=; b=BzMIMZJEQTyHh3VZvpdYSM4a8Xb0Hu2ylqoGbhqMRi91y0ED1KccZEq+3vUmX42Q qXJuGgLBVztNjXmBwjDNsUggNfqM/ZZcx8RS7pmHgcQgt2yCXQjCRGdI71op9O+dAj1 Yp5MBbKyfFXDa4E6y/sA4uuSSCcjwg2/08r6JZhI= Received: by mx.zohomail.com with SMTPS id 1712302776743369.8064028916216; Fri, 5 Apr 2024 00:39:36 -0700 (PDT) From: Ricardo Wurmus To: Giovanni Biscuolo Cc: Guix Devel , guix-security@gnu.org Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) In-Reply-To: <87plv4l25j.fsf@xelera.eu> (Giovanni Biscuolo's message of "Fri, 05 Apr 2024 09:06:00 +0200") References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87jzlck9xk.fsf@elephly.net> <87plv4l25j.fsf@xelera.eu> User-Agent: mu4e 1.12.2; emacs 29.3 Date: Fri, 05 Apr 2024 09:39:33 +0200 Message-ID: <8734s0jm16.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.51; envelope-from=rekado@elephly.net; helo=sender4-of-o51.zoho.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -10.37 X-Spam-Score: -10.37 X-Migadu-Queue-Id: 520F43C848 X-Migadu-Scanner: mx13.migadu.com X-TUID: pQ75aPU4G5sv Giovanni Biscuolo writes: > Hello Ricardo, > > Ricardo Wurmus writes: > >> Giovanni Biscuolo writes: >> >>> So AFAIU using a fixed "autoreconf -fi" should mitigate the risks of >>> tampered .m4 macros (and other possibly tampered build configuration >>> script)? >>> >>> IMHO "ignoring" (deleting) pre-built build scripts in Guix >>> build-system(s) should be considered... or is /already/ so? >> >> The gnu-build-system has a bootstrap phase, but it only does something >> when a configure script does not already exist. We sometimes force it >> to bootstrap the build system when we patch configure.ac. >> >> In previous discussions there were no big objections to always >> bootstrapping the build system files from autoconf/automake sources. > > But AFAIU the boostrap is not always done, right? It is not. See guix/build/gnu-build-system.scm: (if (not (script-exists? "configure")) ...) > If so, given that there are no big objections to always bootstrap the > build system files, what is the technical reason it's not done? I don't think there is a technical reason. It's just one of those things that need someone doing them. >> Not using generated output is a good idea anyway and removes the >> requirement to trust that the release tarballs are faithful derivations >> from the autotools sources, but given the bland complexity of build system >> code (whether that's recursive Makefiles, CMake cruft, or the infamous >> gorilla spit[1] of autotools) I don't see a good way out. > > I guess I miss the technical details about why it's not possible to > _always_ bootstrap the build system files from autoconf/automake > sources: do you have any reference documentation or technical article as > a reference, please? I didn't say it's not possible. Someone's gotta start a branch and build it all out. There may be some annoyance closer to the bootstrap origins (because we may not easily be able to run an approximation of autotools or even VCS tools closer to the bootstrap seeds), but I think we're already using custom Makefiles in some of these cases to simplify bootstrapping. It's just work. Someone's gotta do it. It's probably not super complicated, but given the large number of packages we have it won't be fast. -- Ricardo