|
| From: | Jacob Bachmeyer |
| Subject: | Re: GNU Coding Standards, automake, and the recent xz-utils backdoor |
| Date: | Sun, 31 Mar 2024 21:52:52 -0500 |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 |
Jose E. Marchesi wrote:
[...]I agree that distcheck is good but not a cure all. Any static system can be attacked when there is motive, and unit tests are easily gamed.The issue seems to be releases containing binary data for unit tests, instead of source or scripts to generate that data. In this case, that binary data was used to smuggle in heavily obfuscated object code.As a side note, GNU poke (https://jemarch.net/poke) is good for generating arbitrarily complex binary data from clear textual descriptions.
While it is suitable for that use, at last check poke is itself very complex, complete with its own JIT-capable VM. This is good for interactive use, but I get nervous about complexity in testsuites, where simplicity can greatly aid debugging, and it /might/ be possible to hide a backdoor similarly in a poke pickle. (This seems to be a general problem with powerful interactive editors.)
Further, GNU poke defines its own specialized programming language for manipulating binary data. Supplying generator programs in C (or C++) for binary test data in a package that itself uses C (or C++) ensures that every developer with the skills to improve or debug the package can also understand the testcase generators.
-- Jacob
| [Prev in Thread] | Current Thread | [Next in Thread] |