From: Ricardo Wurmus <rekado@elephly.net>
To: Giovanni Biscuolo <g@xelera.eu>
Cc: Guix Devel <guix-devel@gnu.org>, guix-security@gnu.org
Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Date: Fri, 05 Apr 2024 09:39:33 +0200 [thread overview]
Message-ID: <8734s0jm16.fsf@elephly.net> (raw)
In-Reply-To: <87plv4l25j.fsf@xelera.eu> (Giovanni Biscuolo's message of "Fri, 05 Apr 2024 09:06:00 +0200")
Giovanni Biscuolo <g@xelera.eu> writes:
> Hello Ricardo,
>
> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Giovanni Biscuolo <g@xelera.eu> writes:
>>
>>> So AFAIU using a fixed "autoreconf -fi" should mitigate the risks of
>>> tampered .m4 macros (and other possibly tampered build configuration
>>> script)?
>>>
>>> IMHO "ignoring" (deleting) pre-built build scripts in Guix
>>> build-system(s) should be considered... or is /already/ so?
>>
>> The gnu-build-system has a bootstrap phase, but it only does something
>> when a configure script does not already exist. We sometimes force it
>> to bootstrap the build system when we patch configure.ac.
>>
>> In previous discussions there were no big objections to always
>> bootstrapping the build system files from autoconf/automake sources.
>
> But AFAIU the boostrap is not always done, right?
It is not. See guix/build/gnu-build-system.scm:
(if (not (script-exists? "configure")) ...)
> If so, given that there are no big objections to always bootstrap the
> build system files, what is the technical reason it's not done?
I don't think there is a technical reason. It's just one of those
things that need someone doing them.
>> Not using generated output is a good idea anyway and removes the
>> requirement to trust that the release tarballs are faithful derivations
>> from the autotools sources, but given the bland complexity of build system
>> code (whether that's recursive Makefiles, CMake cruft, or the infamous
>> gorilla spit[1] of autotools) I don't see a good way out.
>
> I guess I miss the technical details about why it's not possible to
> _always_ bootstrap the build system files from autoconf/automake
> sources: do you have any reference documentation or technical article as
> a reference, please?
I didn't say it's not possible. Someone's gotta start a branch and
build it all out. There may be some annoyance closer to the bootstrap
origins (because we may not easily be able to run an approximation of
autotools or even VCS tools closer to the bootstrap seeds), but I think
we're already using custom Makefiles in some of these cases to simplify
bootstrapping.
It's just work. Someone's gotta do it. It's probably not super
complicated, but given the large number of packages we have it won't be
fast.
--
Ricardo
next prev parent reply other threads:[~2024-04-05 7:40 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:57 Backdoor in upstream xz-utils John Kehayias
2024-03-29 17:51 ` Ryan Prior
2024-03-29 20:39 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-03-29 20:55 ` Tomas Volf
2024-03-30 21:02 ` Ricardo Wurmus
2024-04-04 10:34 ` backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Giovanni Biscuolo
2024-04-04 15:12 ` Attila Lendvai
2024-04-04 16:47 ` Giovanni Biscuolo
2024-04-04 15:47 ` Giovanni Biscuolo
2024-04-04 19:48 ` Attila Lendvai
2024-04-04 20:32 ` Ekaitz Zarraga
2024-04-10 13:57 ` Ludovic Courtès
2024-04-11 12:43 ` Andreas Enge
2024-04-11 12:56 ` Ekaitz Zarraga
2024-04-11 13:49 ` Andreas Enge
2024-04-11 14:05 ` Ekaitz Zarraga
2024-04-13 0:14 ` Skyler Ferris
2024-04-19 14:31 ` Ludovic Courtès
2024-04-13 6:50 ` Giovanni Biscuolo
2024-04-13 10:26 ` Skyler Ferris
2024-04-13 12:47 ` Giovanni Biscuolo
2024-04-14 16:22 ` Skyler Ferris
2024-04-12 13:09 ` Attila Lendvai
2024-04-12 20:42 ` Ludovic Courtès
2024-04-13 6:13 ` Giovanni Biscuolo
2024-05-07 18:22 ` 3 kinds of bootstrap (was Re: backdoor injection via release tarballs combined with binary artifacts) Simon Tournier
2024-04-05 10:13 ` backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Giovanni Biscuolo
2024-04-05 14:51 ` Attila Lendvai
2024-04-13 7:42 ` Giovanni Biscuolo
2024-04-04 23:03 ` Ricardo Wurmus
2024-04-05 7:06 ` Giovanni Biscuolo
2024-04-05 7:39 ` Ricardo Wurmus [this message]
2024-04-05 16:52 ` Jan Wielkiewicz
2024-03-31 15:04 ` Backdoor in upstream xz-utils Rostislav Svoboda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8734s0jm16.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=g@xelera.eu \
--cc=guix-devel@gnu.org \
--cc=guix-security@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.