Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

[Sam James]

Bruno Haible <bruno@clisp.org> writes:

> Richard Stallman commented on Jacob Bachmeyer's idea:
>>   > > Another related check that /would/ have caught this attempt would be 
>>   > > comparing the aclocal m4 files in a release against their 
>> (meta)upstream 
>>   > > sources before building a package.  This is something distribution 
>>   > > maintainers could do without cooperation from upstream.  If 
>>   > > m4/build-to-host.m4 had been recognized as coming from gnulib and 
>>   > > compared to the copy in gnulib, the nonempty diff would have been 
>>   > > suspicious.
>> 
>> I have a hunch that some effort is needed to do that comparison, but
>> that it is feasible to write a script to do it could make it easy.
>> Is that so?
>
> Yes, the technical side of such a comparison is relatively easy to
> implement:
>   - There are less than about 2000 or 5000 *.m4 files that are shared
>     between projects. Downloading and storing all historical versions
>     of these files will take ca. 0.1 to 1 GB.
>   - They would be stored in a content-based index, i.e. indexed by
>     sha256 hash code.
>   - A distribution could then quickly test whether a *.m4 file found
>     in a distrib tarball is "known".
>
> The recurrently time-consuming part is, whenever an "unknown" *.m4 file
> appears, to
>   - manually review it,
>   - update the list of upstream git repositories (e.g. when a project
>     has been forked) or the list of releases to consider (e.g. snapshots
>     of GNU Autoconf or GNU libtool, or distribution-specific modifications).
>
> I agree with Jacob that a distro can put this in place, without needing
> to bother upstream developers.

I'm currently looking at adding support for this to
https://github.com/hlein/distro-backdoor-scanner. It was brought up at
https://openwall.com/lists/oss-security/2024/04/02/5.

>
> Bruno

best,
sam