all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Ricardo Wurmus <rekado@elephly.net>
To: Giovanni Biscuolo <g@xelera.eu>
Cc: Guix Devel <guix-devel@gnu.org>,
	 guix-security@gnu.org,
	 Felix Lechner <felix.lechner@lease-up.com>,
	 Ryan Prior <rprior@protonmail.com>
Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Date: Fri, 05 Apr 2024 01:03:19 +0200	[thread overview]
Message-ID: <87jzlck9xk.fsf@elephly.net> (raw)
In-Reply-To: <8734s1mn5p.fsf@xelera.eu> (Giovanni Biscuolo's message of "Thu,  04 Apr 2024 12:34:42 +0200")

[mu4e must have changed the key bindings for replies, so here is my mail
again, this time as a wide reply.]

Giovanni Biscuolo <g@xelera.eu> writes:

> So AFAIU using a fixed "autoreconf -fi" should mitigate the risks of
> tampered .m4 macros (and other possibly tampered build configuration
> script)?
>
> IMHO "ignoring" (deleting) pre-built build scripts in Guix
> build-system(s) should be considered... or is /already/ so?

The gnu-build-system has a bootstrap phase, but it only does something
when a configure script does not already exist.  We sometimes force it
to bootstrap the build system when we patch configure.ac.

In previous discussions there were no big objections to always
bootstrapping the build system files from autoconf/automake sources.

This particular backdoor relied on a number of obfuscations:

- binary test data.  Nobody ever looks at binaries.

- incomprehensibility of autotools output.  This one is fundamentally a
  social problem and easily extends to other complex build systems.  In
  the xz case, the instructions for assembling the shell snippets to
  inject the backdoor could hide in plain sight, just because configure
  scripts are expected to be near incomprehensible.  They contain no
  comments, are filled to the brim with portable (lowest common
  denominator) shell magic, and contain bizarrely named variables.

Not using generated output is a good idea anyway and removes the
requirement to trust that the release tarballs are faithful derivations
from the autotools sources, but given the bland complexity of build system
code (whether that's recursive Makefiles, CMake cruft, or the infamous
gorilla spit[1] of autotools) I don't see a good way out.

[1] https://www.gnu.org/software/autoconf/manual/autoconf-2.65/autoconf.html#History

> Given the above observation that <<it is pragmatically impossible [...]
> to peer review a tarball prepared in this manner>>, I strongly doubt that
> a possible Makefile tampering _in_the_release_tarball_ is easy to peer
> review; I'd ask: is it feaseable such an "automated analysis" (see
> above) in a dedicated build-system phase?

I don't think it's feasible.  Since Guix isn't a regular user (the
target audience of configure scripts) it has no business depending on
generated configure scripts.  It should build these from source.

> In other words: what if the backdoor was injected directly in the source
> code of the *official* release tarball signed with a valid GPG signature
> (and obviously with a valid sha256 hash)?

A malicious maintainer can sign bad release tarballs.  A malicious
contributor can push signed commits that contain backdoors in code.

> Do upstream developer communities peer review release tarballs or they
> "just" peer review the code in the official DVCS?

Most do neither.  I'd guess that virtually *nobody* reviews tarballs
beyond automated tests (like what the GNU maintainers' GNUmakefile /
maint.mk does when preparing a release).

> Also, in (info "(guix) origin Reference") I see that Guix packages can have a
> list of uri(s) for the origin of source code, see xz as an example [7]:
> are they intended to be multiple independent sources to be compared in
> order to prevent possible tampering or are they "just" alternatives to
> be used if the first listed uri is unavailable?

They are alternative URLs, much like what the mirror:// URLs do.

> If the case is the first, a solution would be to specify multiple
> independent release tarballs for each package, so that it would be
> harder to copromise two release sources, but that is not something under
> Guix control.

We have hashes for this purpose.  A tarball that was modified since the
package definition has been published would have a different hash.  This
is not a statement about tampering, but only says that our expectations
(from the time of packaging) have not been met.

> All in all: should we really avoid the "pragmatically impossible to be
> peer reviewed" release tarballs?

Yes.

-- 
Ricardo


  parent reply	other threads:[~2024-04-04 23:04 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-29 20:57 Backdoor in upstream xz-utils John Kehayias
2024-03-29 17:51 ` Ryan Prior
2024-03-29 20:39   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-03-29 20:55     ` Tomas Volf
2024-03-30 21:02       ` Ricardo Wurmus
2024-04-04 10:34   ` backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Giovanni Biscuolo
2024-04-04 15:12     ` Attila Lendvai
2024-04-04 16:47       ` Giovanni Biscuolo
2024-04-04 15:47     ` Giovanni Biscuolo
2024-04-04 19:48       ` Attila Lendvai
2024-04-04 20:32         ` Ekaitz Zarraga
2024-04-10 13:57           ` Ludovic Courtès
2024-04-11 12:43             ` Andreas Enge
2024-04-11 12:56               ` Ekaitz Zarraga
2024-04-11 13:49                 ` Andreas Enge
2024-04-11 14:05                   ` Ekaitz Zarraga
2024-04-13  0:14                   ` Skyler Ferris
2024-04-19 14:31                     ` Ludovic Courtès
2024-04-13  6:50                   ` Giovanni Biscuolo
2024-04-13 10:26                     ` Skyler Ferris
2024-04-13 12:47                       ` Giovanni Biscuolo
2024-04-14 16:22                         ` Skyler Ferris
2024-04-12 13:09               ` Attila Lendvai
2024-04-12 20:42               ` Ludovic Courtès
2024-04-13  6:13             ` Giovanni Biscuolo
2024-05-07 18:22             ` 3 kinds of bootstrap (was Re: backdoor injection via release tarballs combined with binary artifacts) Simon Tournier
2024-04-05 10:13         ` backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Giovanni Biscuolo
2024-04-05 14:51           ` Attila Lendvai
2024-04-13  7:42             ` Giovanni Biscuolo
2024-04-04 23:03     ` Ricardo Wurmus [this message]
2024-04-05  7:06       ` Giovanni Biscuolo
2024-04-05  7:39         ` Ricardo Wurmus
2024-04-05 16:52     ` Jan Wielkiewicz
2024-03-31 15:04 ` Backdoor in upstream xz-utils Rostislav Svoboda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87jzlck9xk.fsf@elephly.net \
    --to=rekado@elephly.net \
    --cc=felix.lechner@lease-up.com \
    --cc=g@xelera.eu \
    --cc=guix-devel@gnu.org \
    --cc=guix-security@gnu.org \
    --cc=rprior@protonmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.