Release tarballs and security (xz fallout)

Release tarballs and security (xz fallout)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

Hi all!

For context: <https://tukaani.org/xz-backdoor/>

Given the recent XZ vulnerability caught just in time, I wonder if we
should take any action in this project to help the ecosystem.

Some have mentioned that release tarballs are too opaque, and can easily
hide code that's not under git(1) control.  I myself have been feeling
like that for a long time.

I've modified the build system recently so that tarballs should be
reproducible byte-per-byte.  This means that downstream distributors
don't really need to "trust" tarballs signed by me, but they can (and
IMO should) generate them themselves by running `make dist`, and they
should be fine.  Our git tags (and all the commits, BTW) are signed.

Here's my proposal:

Stop distributing release tarballs, and instead ask downstream packagers
to create them themselves by running `make dist`, or even not using
tarballs at all; `make install` from a tarball should be exactly the
same as `make install` from the source repository (IIRC).

Any opinions?

Cheers,
Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

AW: Release tarballs and security (xz fallout)

[Walter Harms]

hello, here my opinion ...

I followed the xz hack and the main problem (in my view) is that the person
(tried or go) write access to the git archive. In that case it is game over.

Normaly i run a tar vtzf BEFORE i install a tarball (more to make sure that
they will produce a directory and do not spill everything in my home). That is
be no means perfect but it helps a bit.

For the man-page project i can imagine a 2 tarball solution. One for the pages, and one
for anything executeable, so i can use an older/trusted version of an installer, but
again an "evil maintainer"-attack is - as any suply-chain-attack -  hard to notice
and even harder to prevent.

YM2C
  wh
________________________________________
Von: Alejandro Colomar <alx@kernel.org>
Gesendet: Dienstag, 9. April 2024 17:29:16
An: linux-man@vger.kernel.org
Betreff: Release tarballs and security (xz fallout)

Hi all!

For context: <https://tukaani.org/xz-backdoor/>

Given the recent XZ vulnerability caught just in time, I wonder if we
should take any action in this project to help the ecosystem.

Some have mentioned that release tarballs are too opaque, and can easily
hide code that's not under git(1) control.  I myself have been feeling
like that for a long time.

I've modified the build system recently so that tarballs should be
reproducible byte-per-byte.  This means that downstream distributors
don't really need to "trust" tarballs signed by me, but they can (and
IMO should) generate them themselves by running `make dist`, and they
should be fine.  Our git tags (and all the commits, BTW) are signed.

Here's my proposal:

Stop distributing release tarballs, and instead ask downstream packagers
to create them themselves by running `make dist`, or even not using
tarballs at all; `make install` from a tarball should be exactly the
same as `make install` from the source repository (IIRC).

Any opinions?

Cheers,
Alex

--
<https://www.alejandro-colomar.es/>

Re: AW: Release tarballs and security (xz fallout)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 2524 bytes --]

Hi Walter!

It's nice to hear from you again.  :)

On Wed, Apr 10, 2024 at 07:26:06PM +0000, Walter Harms wrote:
> hello, here my opinion ...
> 
> I followed the xz hack and the main problem (in my view) is that the person
> (tried or go) write access to the git archive. In that case it is game over.

Not all of the evil files were under git.  Probably because it would
have been too suspicious.  Some file was injected in the distribution
tarball.  This is what I'd like to preclude by not having tarballs.

> Normaly i run a tar vtzf BEFORE i install a tarball (more to make sure that
> they will produce a directory and do not spill everything in my home). That is
> be no means perfect but it helps a bit.
> 
> For the man-page project i can imagine a 2 tarball solution. One for the pages, and one
> for anything executeable, so i can use an older/trusted version of an installer, but

This could be interesting.  But the repository is probably simpler to
use for everyone.  And you can do partial checkouts with something like:

$ git checkout vX.X -- share/mk/
$ git checkout vY.Y -- man*/

so you could use an old build system with newer pages easily (I didn't
test the above, so it may need some tweaks, but the idea is there).

> again an "evil maintainer"-attack is - as any suply-chain-attack -  hard to notice
> and even harder to prevent.

The thing is that if I don't create a tarball, there's one fewer step in
which an evil maintainer could inject evil stuff.

If downstreams generate their tarballs from the repo, then an evil
maintainer has to commit the scripts into the git repository, which can
be more easily tracked.

If the tarball is generated by the evil maintainer, then it can inject
any evil files without having to do any commit, which would be harder to
detect.  You'd need to check the file list, which isn't short.  In the
source repo, we have

	$ find * -type f | wc -l
	2875

You could ignore the pages, and diff the rest to older versions, but
that's easier to do if you can use git(1).  You can also regenerate the
tarball yourself from the sources, then diffoscope(1) it with mine.  But
at that point, you've already generated a tarball that --if all goes
well-- should be identical to mine, so why would you want the official
one?

We'd also reduce the need for compressed tarballs, so less dependencies
on tools that seem to be dangerous these days.


Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]