On Sat, Mar 30, 2024 at 5:15 PM Bruno Haible <[email protected]> wrote: > > Eric Gallager wrote: > > One thing I noticed in the writeup is that part of the way it worked > > involved a modified copy of gnulib's build-to-host.m4 macro file; ... > > is if there's anything gnulib can add on > > its end to ensure that the macro actually does what it's supposed to > > do? > > Having source files that anyone can copy and modify is the core of > Free Software; therefore any approach relying on checksums is out of > question. > > Unit tests can check that it does _at_least_ what it's supposed to do. > Here the malware had the effect of _additionally_ doing other things. > That's something you cannot catch through a unit test (except possibly > by counting the execution cycles on a virtual CPU that does not have > any caches). > > The best ways to avoid malware are: > - code reviews (which was lacking in the case of 'xz' [1]), > - behaviour-based observations in a system that has good tools > for introspection and analysis (that we do have in Linux, > more than Windows and macOS). > > Bruno >
OK, so even if additional tests wouldn't have caught this particular attack, wouldn't it be good to add some additional tests anyways? Like, why isn't the build-to-host.m4 macro file its own module? Specifically, what I'm thinking of doing would be something like this: diff --git a/modules/build-to-host b/modules/build-to-host new file mode 100644 index 0000000000..0c4482ae21 --- /dev/null +++ b/modules/build-to-host @@ -0,0 +1,22 @@ +Description: + +Files: +m4/build-to-host.m4 + +Depends-on: + +configure.ac-early: +gl_BUILD_TO_HOST_INIT + +configure.ac: +gl_BUILD_TO_HOST([builddir]) + +Makefile.am: + +Include: + +License: +GPL + +Maintainer: +all diff --git a/modules/configmake b/modules/configmake index 7ca9c5c6ca..a342bcf557 100644 --- a/modules/configmake +++ b/modules/configmake @@ -3,9 +3,9 @@ Access from source code to variables set by "configure" or "make". Files: m4/configmake.m4 -m4/build-to-host.m4 Depends-on: +build-to-host gen-header configure.ac: diff --git a/modules/gettext b/modules/gettext index f3db46dee5..44ef749881 100644 --- a/modules/gettext +++ b/modules/gettext @@ -19,7 +19,6 @@ used. Files: m4/gettext.m4 -m4/build-to-host.m4 m4/host-cpu-c-abi.m4 m4/iconv.m4 m4/intl-thread-locale.m4 @@ -30,6 +29,7 @@ m4/progtest.m4 build-aux/config.rpath Depends-on: +build-to-host extensions gettext-h havelib --- This way one could do just `./gnulib-tool --test build-to-host` and `./check-module modules/build-to-host` to test it, rather than having to also test all the additional stuff that the configmake and gettext modules drag in with them. (Note: I'm not sure if the patch is fully correct; just including it to give the general idea of it)
