View previous topic :: View next topic |
Author |
Message |
Hu Administrator
Joined: 06 Mar 2007 Posts: 21743
|
Posted: Mon Apr 15, 2024 6:31 pm Post subject: |
|
|
The proposed "easy way" is a specific case of the idea that each stage of the build should have access only to data it reasonably needs for proper operation, and nothing more. "Easy ways" that may or may not be so easy:- Run the build without network access, so no blobs can be downloaded. For many years, this was easily supported. Then Go and Rust made it standard to download blobs from the Internet during the compile phase, and now distributions need to go through extra effort to get those packages to work properly.
- Run the build with only the files needed by that stage of the build. Delete all "unneeded" files before starting each stage. This has the drawback that someone needs to maintain a list of what is needed, and while upstream could propose an initial value for this list, if we assume a hostile developer upstream, then the list of required files itself becomes a target, and distributors would need to audit that the list is safe and minimal.
- Insist that the build script be "obvious" to qualified maintainers. A downstream distributor should be able to review the build and determine that even if binary blobs are present, they are obviously not used. If the distributor cannot confidently state that to be true (and many autotools-based systems will fail this test, just because autotools is so complex), then the build system is presumed to be too complex and presumed to be hiding something. This bullet point has the drawback that it will likely have a high false positive rate, flagging build systems that are not hiding anything malicious, but are just messy or complicated because no one can or will clean them up.
|
|
Back to top |
|
|
Taigo n00b
Joined: 09 Nov 2022 Posts: 74 Location: the Netherlands
|
Posted: Tue Apr 16, 2024 9:40 am Post subject: Re: The xz package has been backdoored |
|
|
From what I heard Gentoo systems weren't affected anyway, but of course still a good idea to downgrade.
By the time the package has been masked already tho and im now on xz-utils 5.4.2 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|