[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GNU Coding Standards, automake, and the recent xz-utils backdoor
From: |
Eric Gallager |
Subject: |
GNU Coding Standards, automake, and the recent xz-utils backdoor |
Date: |
Sat, 30 Mar 2024 12:55:35 -0400 |
I was recently reading about the backdoor announced in xz-utils the
other day, and one of the things that caught my attention was how
(ab)use of the GNU build system played a role in allowing the backdoor
to go unnoticed: https://openwall.com/lists/oss-security/2024/03/29/4
Specifically, what caught my attention was how the release tarball
containing the backdoor didn't match the history of the project in its
git repository. That made me think about automake's `distcheck`
target, whose entire purpose is to make it easier to verify that a
distribution tarball can be rebuilt from itself and contains all the
things it ought to contain. However, as I check the GNU Coding
Standards now, I notice that it doesn't say anything about this
target. I'm wondering if it might be worthwhile to upgrade the
`distcheck` target's prominence to recommend it in the "Standard
Targets for All Users" section of the GCS? Specifically here:
https://www.gnu.org/prep/standards/html_node/Standard-Targets.html#Standard-Targets
Recommending the `distcheck` target to a wider variety of users would
help more projects catch mismatches between things a distribution
tarball is supposed to contain, and things that it isn't. This would
be a win for security and could help make it easier to catch future
possible bad actors trying to pull a similar trick. What do people
think?
Eric Gallager
- GNU Coding Standards, automake, and the recent xz-utils backdoor,
Eric Gallager <=
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Karl Berry, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, dherring, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/03/31
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jose E. Marchesi, 2024/03/31
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/03/31
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/03/31
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Tomas Volf, 2024/03/31