| View previous topic :: View next topic |
| Author |
Message |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22694
|
 Posted: Mon Apr 15, 2024 6:31 pm Post subject: |
 |
|
The proposed "easy way" is a specific case of the idea that each stage of the build should have access only to data it reasonably needs for proper operation, and nothing more. "Easy ways" that may or may not be so easy:- Run the build without network access, so no blobs can be downloaded. For many years, this was easily supported. Then Go and Rust made it standard to download blobs from the Internet during the compile phase, and now distributions need to go through extra effort to get those packages to work properly.
- Run the build with only the files needed by that stage of the build. Delete all "unneeded" files before starting each stage. This has the drawback that someone needs to maintain a list of what is needed, and while upstream could propose an initial value for this list, if we assume a hostile developer upstream, then the list of required files itself becomes a target, and distributors would need to audit that the list is safe and minimal.
- Insist that the build script be "obvious" to qualified maintainers. A downstream distributor should be able to review the build and determine that even if binary blobs are present, they are obviously not used. If the distributor cannot confidently state that to be true (and many autotools-based systems will fail this test, just because autotools is so complex), then the build system is presumed to be too complex and presumed to be hiding something. This bullet point has the drawback that it will likely have a high false positive rate, flagging build systems that are not hiding anything malicious, but are just messy or complicated because no one can or will clean them up.
|
|
| Back to top |
|
 |
Taigo
Tux's lil' helper
Joined: 09 Nov 2022
Posts: 105
Location: the Netherlands
|
| Posted: Tue Apr 16, 2024 9:40 am Post subject: Re: The xz package has been backdoored |
|
|
From what I heard Gentoo systems weren't affected anyway, but of course still a good idea to downgrade.
By the time the package has been masked already tho and im now on xz-utils 5.4.2 |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5121
Location: Bavaria
|
|
| Back to top |
|
|
Moonboots
Apprentice
Joined: 02 Dec 2006
Posts: 164
|
| Posted: Thu May 30, 2024 4:35 am Post subject: |
|
|
Yes, great to see Sam generously offering his time. Although long term it would have been good to see a major tech company stepping up to provide
paid support for keeping these types of open source projects properly maintained.
As i write this post, not a single mention of Sam of those replying in the Phoronix forum, just the usual breakdown to infantile squabbling  |
|
| Back to top |
|
|
Da51d
n00b
Joined: 27 Mar 2024
Posts: 12
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
