IRC channel logs
2024-03-30.log
back to list of logs
<fossy>i am just reading about this. <fossy>this is the -exact- type of attack that led me to push so strongly in live-bootstrap for no pregenerated files <fossy>because configures are entirely unauditable <fossy>(while live-bootstrap does not care about security issues exactly, more trusting trust backdoors etc, so this precise issue is fairly irrelevant, the idea remains the same) <stikonas>fossy: yeah, I'm quite glad we pushed for no pregenerated files <stikonas>just a few minor things left (only nyacc comes to mind) <stikonas>though everything after live-bootstrap then relies on distros that don't have this policy :( <fossy>(to be fair - in this case, we would still be vulnerable because there were extra m4 files in the release tarball compared to the git repo) <fossy>hm, will have to think about that one a bit <sam_>yes, fossy, this is a tricky one <sam_>because we can't JUST autoreconf here <sam_>what we really need is to, at the least, know when a standard macro is being used or not <sam_>even that is a bit of a hack, but.. <sam_>but i mean it is quite common to see stale versions of such macros <matrix_bridge><cosinusoidally> did they compromise signed release tarballs too? <matrix_bridge><cosinusoidally> I'm not sure what you do if a maintainer goes rogue like this. I suppose there's a lack of secure build/signing infrastructure that allowed them to cut a release that differed from what was in git/would have been generated from code in git. <oriansj>the problem with going to git commits, is that sha1 isn't going to save us from very targetted attacks from people with a great deal of resources. <pabs3>this isn't a rogue maintainer, this is probably more likely a state actor <pabs3>and probably a team of people <pabs3>and also the bits not in git aren't the backdoor, thats in "test" files checked into git <fossy>yeah defending against a trusted maintainer is a bit different <oriansj>fossy: yeah, an evil maintainer is like detecting underhanded C exploits