On Sun, Mar 31, 2024 at 09:07:21AM -0000, François Rigault wrote: > hi Zbyszek, > how did you review the corrupted journal files committed in systemd? Can you know for certain that they do not contain any backdoor or anything illegal or unlicensed? The licensing and legal side is easy: those files are produced by a program that we wrote (journald), so copyright and patents don't apply. In principle there could be some privileged information in those files, but it was disclosed by the person who submitted a pull request with those files, so at this point distributing this information wouldn't make further difference. And also the person submitting them accept the license which allows redistribution. If there's a backdoor: those files are read by a program which is supposed to be resilient against broken input. We execute this program under multiple sanitizers over this input file. So we're doing pretty strong testing that the input is parsed correctly (or refused). I wrote a bit more abou this in other part of the thread [1]. I think that while it's theoretically possible to do something malicious with bad fuzzer samples, it'd be very very do pull off. [1] https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/4DB56MMWUSBEY7YPD5ARIZGF4FFVRYHJ/, Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
