From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id CAOpKGXuF2Z4DwAAqHPOHw:P1 (envelope-from ) for ; Thu, 11 Apr 2024 16:06:29 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id CAOpKGXuF2Z4DwAAqHPOHw (envelope-from ) for ; Thu, 11 Apr 2024 16:06:29 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=elenq.tech header.s=soverin1 header.b=rlANv6AM; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712844389; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature:autocrypt:autocrypt; bh=IwquTxtrxl5KI4RLPMVsSFQ7PRbak/lUuINir1q8hVs=; b=Th+PKQE99/G0y0jrRtb/BfvexIrwoumBTjXyiSllajNLDuYp6nXazAh3q7WcmuEXjrP7ni 1eGQ1bXrxY96g3qWVCR5lLB58ixWb7TjEHfKLcGRt4Fy9pwx5mMHxLOivp11xYvlKKYFyt FD4s0POHR3v2JXwZ6DBPolixPV/felAX+dwpgbxu0s7gT0Zt1LP3170Lat9jY94Ylm6NlT yxoJDUCWLSTiTXLA6Nrvk5XRr/u3TOYHaHr95jXIOKHdpJfjwvK/aDzGK8BapMJ/XWZau+ G6ntxR4DT/4CjMeMbgaG/rgGTimI0rzd524sbQ77IkOnNmQuyv+QINPP0TXAJQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712844389; a=rsa-sha256; cv=none; b=VBJbz3wDCtWoEtqAuxGxbAcYPbmsdMkvH8LeyWZ39GZynhG1oJeoysdWPkJUm6htNi4pCk Ab22EPfnPoU/KGotIguNNO6+BhFaky1q5e1NalU+0GkYgTyY/0LBl3R1TQQG8WEvL5SUGK mWswg2fSBZ+NXgoCKB+sTwMJi9FhZOoq3R+TRkRkKuKyekjDlJpfIucTmkGBTO0EE/EBni blg2XSQSAs6d3TrwNTKJE7yltNCrT8gD6GNUQC28UdCd3NkepHHWwHS8iojtmwjlkXj/9z RWrSNAEIbWaymMNbg4JI7iU3M2qC76+A1c0ZCOQlkidDn01NsH2auIluaW9DPg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=elenq.tech header.s=soverin1 header.b=rlANv6AM; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7169D3C4C5 for ; Thu, 11 Apr 2024 16:06:29 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruv40-0001vp-HB; Thu, 11 Apr 2024 10:06:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruv3n-0001u3-Qb for guix-devel@gnu.org; Thu, 11 Apr 2024 10:05:52 -0400 Received: from dane.soverin.net ([2a10:de80:1:4092:b9e9:2296:0:1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruv3l-00052l-5s; Thu, 11 Apr 2024 10:05:51 -0400 Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4VFhLJ0ZFKzQF; Thu, 11 Apr 2024 14:05:44 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.99]) by soverin.net (Postfix) with ESMTPSA id 4VFhLH3WhCzrS; Thu, 11 Apr 2024 14:05:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=elenq.tech; s=soverin1; t=1712844343; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=IwquTxtrxl5KI4RLPMVsSFQ7PRbak/lUuINir1q8hVs=; b=rlANv6AMkf7tuftBfgUu/+KedktJ0ltFBVQsUcP6q+SlkjJHkMHi5AwXE7q8lNeBp6ysSg rDOabYdj4DSIMIM8cjZrSyqoY1gfXO6/Z0a6n5Q6Lqd491l+W/Ormhejlh3IZYHfKyHNMM UwTwJOqAPSPhdBYK4Lc+8LJKCjTQ3YnNYzVfwQ6Dy/61nYRFGLm+MqjFNhS7CGaKN8Ohi5 Nx3y9YpIX5kZYlRt5zFaRFaV2q0Ya6PL0HIR37rCBB9fuz4bzS9Lg9tra8KHgE/njxkAMK OZm6of3ls5VIXVWlC/uLBg8UWnqcGulPFTgCWkHrxT4IlsQG3Jp9vmoW1zazqA== Message-ID: Date: Thu, 11 Apr 2024 16:05:43 +0200 MIME-Version: 1.0 Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Content-Language: en-US, es-ES, eu To: Andreas Enge Cc: =?UTF-8?Q?Ludovic_Court=c3=a8s?= , Attila Lendvai , Giovanni Biscuolo , Guix Devel References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu> <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech> <87wmp5l3r3.fsf@gnu.org> <8076578a-bebd-0f26-6d39-f634ded290ce@elenq.tech> From: Ekaitz Zarraga Autocrypt: addr=ekaitz@elenq.tech; keydata= xsFNBGViSyIBEADY3g71uW/0CVaVm5/ObqTicQXXJRuh1uafIFiUUZoAp1V3V89b3LZ/m0cL 8YNHxTxsx8sKIMYTGlOvARAMiSpDvkmpf5pLn5T7+VvK90FOv/Pkp1tNNT+tvd0m/7C58+39 s7tN+XppbjVRtFuSXY0aFe8rpivZsKxv+tPUHUnQQszXvwgx0GQl8AX99IE+j75NJmBHFVg2 0geKa7QVymu669ix2+zU8vGoOKf5nIS0qG1m/vrtwR3ZuuyWX9/E/uP95ahX5ETWtjhTDbEm MEaRperwbczBewkdERJ34vRrverqKQA1xHXoPsx4NkLMocORFSSCJsveXcgWlU+pUIOYcKUA ARJjHhoWoUH4LZt5EOb7U17AaYMmATUXPCqq8G3jEXq6i0O1J1obCJGIRG02R9GiGp4zrVuv 2hmyoAmed4xYZAtf9WjcbwiunDkMGIxscdSlfEH/9dt7PGdEvkZ0dNSCTbp4ctMI4jAfobAL LReMSGx1CgPi01J61a/n/SgR66AiRJZCyC1u2V7AK1rBOAYzOU4UoePz+yF1I7crjZWAQVo6 DlmmXW+29l/lh2oK5jOuNEcvI6qi+tPCYxpDhUhZeYgqFU+/xgGlMj/XGvwuIFlpVg9ovFMg 6mxskOCVP9xNEp/qHiHqByYu5NRcITo/z/3BUimdXTT4KSq2cQARAQABzSJFa2FpdHogWmFy cmFnYSA8ZWthaXR6QGVsZW5xLnRlY2g+wsGOBBMBCAA4FiEEg/pnRVjAUpRlfkwZt5lM+Jly CyYFAmViSyICGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQt5lM+JlyCybjZxAAy+YW 3Q22xKoMWJYw03qGCy87WPK+xGWDpKD6TJ77+/IEbldObyQRrKYTTGjQSy6WgaJ0txJMIqeK JyuWuR3bq+Vkh86Byntl25jknOJ+jY1zwPs6HnWFr+hS48FcQh/0D26h57Cqc+6nbKhJcva8 JsInbHTbWPz7wye+xhqY1LfdgVTbCyADESXdmBY30/vP4LzqW81atwYF6X7dN7ko/JvyPPdv VlcspmbP6zNihoApBHdMfJwYscyAsu6tTyL4hMG3zpraeU+S857vZN39gFagRng+uyZG7rfB dHHAFzT1LKOZ4dahavOfA0gS1RZTgtAGsvhUEBn9vKxlB4efZuKhwMtgQEskRFD6JIF1DYCj pLgn5x/y3oI6rn35R46VDhLfohcUWpvzplu6LBft8ZNr+UgoVYc6qBezyDlxk0FmhGI7DEoh gfUxljTALXjSdUGEw2mvp/Mcrz+ffemWpG4+Zq0UXR8sZaHpv+PqmFLFFSQCOCRTYbMKzZBn y03wym3y0tGtunDGm5pR7NEPqUO9QbZdKyTy4ftRkSfTpiPCF8+KKYDT8HimSrusmtTfR4R1 nBJ4lNBYgTdOyJYFbHdF0Jxo9r0t+K2e+6hX6bK79o6aC+/LtzkoYgjCWvAEopO0ras/XQYM S7/bCzeDIhXX5RqmMIp5XN+oBP2roZDOwU0EZWJLIgEQAMIgPDpJY9aOhFiFICx58XMM28An yUPdN39t0A8VkUbsvKXH6eNqUZj/Q3yNcZrknAT1vinv9FN/4uCUnsaqEKp+mRAYgzmNfeJk SWuMzmA04fcISIBz3sJUR0w/59tWi8QxlNn7IR6McAA3lHDXC+KYh9ZfhaOARfan1M6Ppy6g YltUQGSSPXU807inmQZh8GFTi8iUza7vGuBEnaNRGhmhR+blMwHSqVWN4gD81e8dSAEi3zNR sLoBXneHUqTcJMHvsT5cOk7cGMoVAWIffA2EKWfrgda57Qw+w+0OPqWEfKoXwnyt35Tl+Lxl 7MAaAG9R5760yhgkf3LmnBNP3m6StZ8Fv09Gdn5cGSbVnoofHDkg4PQDTD6aGz9af3SnGVg9 nb1Zm1XbqtnYwG9JvQhcjgWAHwrPLkHAcvKtfYWNe4wiirMjXMXxADY08g33SEchPJR2r4pg wttJS4kHUJ2IQUmSH/43RO5PkftWsCucYGeaG1aPr+GAkeKIS1M3OZGuqhd800mltpiH73eL XrUPF8fgngC+SGMrHXLfzuhaRxPNYUbsdF+wRkvjRSO4tCmSVpgfPsHu5emoZgix1iiTO7GF do7L6n1Ay3oF4Witoxc0Gcbu7ltYlZHGmDnsVTVALartsJV2muSXpWcjQiXyC0gUkIkUD/3P jtgVxK8xABEBAAHCwXYEGAEIACAWIQSD+mdFWMBSlGV+TBm3mUz4mXILJgUCZWJLIgIbDAAK CRC3mUz4mXILJrIaD/9CXGckwRCojuRzP0r6+8/RvNDc03CSe2W17WrSaoYgiRb+h5asI/AL yqw+QRgwXZpt0i9hNiDCe/baD62mufIyjKFjHoAWSYJuZ5VK3vWnro6GaxWULYt1+c4c4Lz2 d1nSK6j8F3CxYo7BFk6afOusjYfh+0HywThcYY+x+K5Z+4SdJejDLiL5AzJn2W5Gt/ViK5nI wl7uRQpayMc9zmI8ytUT2NJxovq1/fT9nB8VPwlbJTE9zvIqfqHh9o9Apx5o8yTaSCyGUyu9 8h/klqxFy4HAPJJu/3JkiMaCI45ZdCqRR1LIwhtmW2lb73r0rP/0S1cKi+ehA4oQvwiUw7zh XXw7mqzSAJ0SWT92Vy2G8Z8qqgwxwfQcdFZAyJAL1rgEPQljNT91Vgbc6DCUka2XW5BqyhEB eS0n1gK0hYXbM9FKegRsZxlmRAXa4KGXCwr4BNK6k+zkKPitezjbtcLgcKSHa8/HyHNkW7xH R+MN16x2elQPmQ2d0Ien1HgsK98+3prlUGwZIVCqa1ddSoW0llU3JzGsKrMAiYbWg/rOXFil RJbuhjflaLBVmfI8VlRQRocP+WEH0lsUWrtjVaGcBj1/YnIoT+zT6fPSXwPsrBvAWEjfl8HH e1F4cYb+ugPDwUTd1s2Uj2tF0/fhCHPy9sXyx/EIL3gqyBw9M2Rz9A== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2a10:de80:1:4092:b9e9:2296:0:1; envelope-from=ekaitz@elenq.tech; helo=dane.soverin.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -7.36 X-Spam-Score: -7.36 X-Migadu-Queue-Id: 7169D3C4C5 X-Migadu-Scanner: mx13.migadu.com X-TUID: ypuvKjmi/MfQ Hi, >> and everybody is reading. > > This is a steep claim! I agree that nobody reads generated files in > a release tarball, but I am not sure how many other files are actually > read. Yea, it is. I'd also love to know how effective is the reading in a release tarball vs a VCS repo. Quality of the reading is also very important. I simply don't even try to read a tarball, not having the history makes the understanding very difficult. If I find a piece of code that seems odd, I would like to `git blame` it and see what was the reason for the inclusion, who included it and so on. It's not much, but it's better than nothing. Although, I'd understand if you told me the history might be misleading, too.