|
| From: | Jacob Bachmeyer |
| Subject: | Re: compressed release distribution formats (was: GNU Coding Standards, automake, and the recent xz-utils backdoor) |
| Date: | Tue, 02 Apr 2024 20:34:16 -0500 |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 |
Eric Blake wrote:
[adding in coreutils, for some history] [...] At any rate, it is now obvious (in hindsight) that zstd has a much larger development team than xz, which may alter the ability of zstd being backdoored in the same way that xz was, merely by social engineering of a lone maintainer.
That just means that a cracker group needs to plant a mole in a larger team, which was effectively the goal of the sockpuppet campaign against the xz-utils maintainer, except that the cracker's sockpuppet was the second member of a two-member team. I see no real difference here.
I would argue that GNU software should be consistently available in at least one format that can be unpacked using only tools that are also provided by the GNU project. I believe that currently means "gzip", unfortunately. We should probably look to adopt another one; perhaps the lzip maintainer might be interested?
The xz format is not vulnerable, or at least has not been shown to be so in the sense of security risks, and only xz-utils was backdoored. Nor is there only one implementation: 7-zip can also handle xz files.It is also obvious that having GNU distributions available through only a SINGLE compression format, when that format may be vulnerable,
Agreed. In fact, if multiple formats can be produced concurrently, we could validate that the compressed tarballs are actually identical. (Generate using `tar -cf - [...] | tee >(compress1 >[...].tar.comp1) | tee >(compress2 >[...].tar.comp2) | gzip -9 >[...].tar.gz` if you do not want to actually write the uncompressed tarball to the disk.) But if tarlz is to be used to write the lzipped tarball, you probably want to settle for "same file contents", since tarlz only supports pax format and we may want to allow older tar programs to unpack GNU releases.is a dis-service to users when it is not much harder to provide tarballs in multiple formats. Having multiple tarballs as the recommendation can at least let us automate that each of the tarballs has the same contents,
This is another widespread misunderstanding---almost all of the xz backdoor was hidden in plain sight (admittedly, compressed and/or encrypted) *in* the Git repository. The only piece of the backdoor not found in Git was the modified build-to-host.m4. The xz-utils project's standard practice had been to /not/ commit imported m4 files, but to bring them in when preparing release tarballs. The cracker simply rolled the "key" to the dropper into the release tarball. I still have not seen whether the configure script in the release tarball was built with the modified build-to-host.m4 or if the crackers were depending on distribution packagers to regenerate configure.although it won't make it any more obvious whether those contents match what was in git (which was how the xz backdoor got past so many people in the first place).
Again, everything present in both Git and the release tarball /was/ /identical/. There were no mismatches, only files added to the release that are not in the repository, and that are /expected/ to be added to a release.
-- Jacob
| [Prev in Thread] | Current Thread | [Next in Thread] |