Re: Validating tarballs against git repositories

To: debian-devel@lists.debian.org
Subject: Re: Validating tarballs against git repositories
From: Antonio Russo <aerusso@aerusso.net>
Date: Sat, 30 Mar 2024 08:39:57 -0600
Message-id: <[🔎] 48f7b84c-a9d4-4161-956b-9c5c863c38b8@aerusso.net>
In-reply-to: <[🔎] 87wmpkgrma.fsf@hope.eyrie.org>
References: <[🔎] 2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <[🔎] ZgeYAQuIz7DBtunP@thunder.hadrons.org> <[🔎] 61e2abfa-b041-4f8d-af9b-a7183cc653e1@gmail.com> <[🔎] 87wmpkgrma.fsf@hope.eyrie.org>

There are many important and useful things here, but I want to address
this one point:

On 2024-03-30 00:29, Russ Allbery wrote:
> Antonio Russo <antonio.e.russo@gmail.com> writes:
> 
>> If that's the case, could make those files at packaging time, analogous
>> to the DFSG-exclude stripping process?
> 
> If I have followed this all correctly, I believe that in this case the
> exploit is not in a build artifact.  It's in a very opaque source artifact
> that is different in the release tarball from the Git archive.  Assuming
> that I have that right, stripping build artifacts wouldn't have done
> anything about this exploit, but comparing Git and release tarballs would
> have.
> 
> I think you're here anticipating a *different* exploit that would be
> carried in build artifacts that Debian didn't remove and reconstruct, and
> that we want to remove those from our upstream source archives in order to
> ensure that we can't accidentally do that.

In this case, as Guillem walks through in a later email, build-to-host.m4
would be generated by autotools under different circumstances (not Debian
today, because of differences in versions).

I therefore consider that file a build artifact, perhaps incorrectly given
Simone's comment that autoreconf cannot be used to reliably re-bootstrap all
of these files.

I was (before Simone's point) arguing to ALWAYS re-bootstrap it all, or at
least always rebootstrap on a Debian machine.  A prerequisite to this, more
generally then, is that we can always rebootstrap from auditable source.

I appreciate that, unless that binary process happens reproducibly, that
just shifts the trustee to a different person, and doesn't actually address
this kind of carefully-orchestrated attack. I also appreciate the Ken
Thompson "trusting trust" nightmare scenario makes the compiler another
major issue.

What I'm hoping for is more limited: assume our existing infrastructure is
sound, but develop hygiene and tooling that prevents accepting binary and
build-artifact Trojans into Debian.

Best,
Antonio

Attachment: OpenPGP_0xB01C53D5DED4A4EE.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Validating tarballs against git repositories
  - From: Antonio Russo <aerusso@aerusso.net>
- Re: Validating tarballs against git repositories
  - From: Guillem Jover <guillem@debian.org>
- Re: Validating tarballs against git repositories
  - From: Antonio Russo <antonio.e.russo@gmail.com>
- Re: Validating tarballs against git repositories
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Validating tarballs against git repositories
Next by Date: Re: Validating tarballs against git repositories
Previous by thread: Re: Validating tarballs against git repositories
Next by thread: Re: Validating tarballs against git repositories
Index(es):
- Date
- Thread