Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

bug-standards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

From:	Jacob Bachmeyer
Subject:	Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Date:	Mon, 01 Apr 2024 23:04:17 -0500
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0

Russ Allbery wrote:

[...]

There is extensive ongoing discussion of this on debian-devel.  There's no
real consensus in that discussion, but I think one useful principle that's
emerged that doesn't disrupt the world *too* much is that the release
tarball should differ from the Git tag only in the form of added files.

From what I understand, the xz backdoor would have passed this check.The backdoor dropper was hidden in test data files that /were/ in therepository, and required code in the modified build-to-host.m4 toactivate it. The m4 files were not checked into the repository, insteadbeing added (presumably by running autogen.sh with a rigged local m4file collection) while preparing the release.

Someone with a copy of a crocked release tarball should check ifconfigure even had the backdoor "as released" or if the attacker was/depending/ on distributions to regenerate configure before packaging xz.



-- Jacob

[Prev in Thread]

Current Thread

[Next in Thread]

Re: libsystemd dependencies, (continued)
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jose E. Marchesi, 2024/04/01
  - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/01
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jose E. Marchesi, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Zack Weinberg, 2024/04/01
  - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Russ Allbery, 2024/04/01
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Zack Weinberg, 2024/04/01
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/04/01
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/04/01
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/02
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer <=
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Russ Allbery, 2024/04/02
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/04/02
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/02
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/04/02
    - Re: checking aclocal m4 files (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Jacob Bachmeyer, 2024/04/02
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/04
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/04/04
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Sam James, 2024/04/05
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/08
    - Re: detecting modified m4 files (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Jacob Bachmeyer, 2024/04/07

Prev by Date: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Next by Date: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Previous by thread: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Next by thread: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Index(es):
- Date
- Thread