On Sun, 4 Oct 2020, Andreas Kusalananda Kähäri wrote:
On Sat, Oct 03, 2020 at 10:28:05PM -0400, Thien-Thi Nguyen wrote:
Additionally:
$ sha256sum autoconf-2.69c.tar.xz
923c2ecce25c55f6c7ce3a2c68cf066be13140edf6cb41083128b43763fa1723 autoconf-2.69c.tar.xz
What do other people see?
Yes, the SHA256 is the same that I see. The file is signed with the
wrong key though (not the key mentioned in the "autoconf-2.69c released
[beta]" email message to the list).
I see the same here.
The sad thing is that Autoconf is very security-sensitive software.
We are placing extreme trust in it given that our personal accounts
could be compromised by running autoconf or the generated configure
script, the host computer could be taken over during 'make install',
and a security defect could result in many user accounts/computers
being compromised. It is theoretically possible for Autoconf to
result in code being stealthily injected into the built binaries.
It is important to get these things right!
A discussion of Autotools and security is certainly warranted. There
are many moving parts which are assimilated from various places.
Some of these places might be based on signed packages but other
places might just be whatever happened to be pulled in a git checkout.
Git repositories are only as secure as the people authorized to push
to them, and the security of the server where they are hosted.
As an example, my own project gets the latest config.guess and
config.sub from a git repository using the pattern
"https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob_plain;f=config/${file};hb=HEAD";
I am trusting that the gnulib repository (and its gitweb front end) is
inherently secure but without any proof of it.
Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
