There are many important and useful things here, but I want to address this one point:
On 2024-03-30 00:29, Russ Allbery wrote: > Antonio Russo <antonio.e.ru...@gmail.com> writes: > >> If that's the case, could make those files at packaging time, analogous >> to the DFSG-exclude stripping process? > > If I have followed this all correctly, I believe that in this case the > exploit is not in a build artifact. It's in a very opaque source artifact > that is different in the release tarball from the Git archive. Assuming > that I have that right, stripping build artifacts wouldn't have done > anything about this exploit, but comparing Git and release tarballs would > have. > > I think you're here anticipating a *different* exploit that would be > carried in build artifacts that Debian didn't remove and reconstruct, and > that we want to remove those from our upstream source archives in order to > ensure that we can't accidentally do that. In this case, as Guillem walks through in a later email, build-to-host.m4 would be generated by autotools under different circumstances (not Debian today, because of differences in versions). I therefore consider that file a build artifact, perhaps incorrectly given Simone's comment that autoreconf cannot be used to reliably re-bootstrap all of these files. I was (before Simone's point) arguing to ALWAYS re-bootstrap it all, or at least always rebootstrap on a Debian machine. A prerequisite to this, more generally then, is that we can always rebootstrap from auditable source. I appreciate that, unless that binary process happens reproducibly, that just shifts the trustee to a different person, and doesn't actually address this kind of carefully-orchestrated attack. I also appreciate the Ken Thompson "trusting trust" nightmare scenario makes the compiler another major issue. What I'm hoping for is more limited: assume our existing infrastructure is sound, but develop hygiene and tooling that prevents accepting binary and build-artifact Trojans into Debian. Best, Antonio
OpenPGP_0xB01C53D5DED4A4EE.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
