Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Scott Schmit wrote on Sun, Mar 31, 2024 at 05:02:44PM -0400:
> Deleting the tests makes no sense to me either, but it seems like a
> mechanism that ensures the test code can't change the build outputs (or
> a mechanism to detect that it's happened and abort the build) would
> allow upstream tests to be run without compromising the integrity of the
> build itself.

Just to be clear here that wouldn't have been enough: it's not the test
step that's modifying the binaries, the actual build step is modified in
the right conditions to use data that looks like it belongs to a test
(I've read the actual files aren't actually used in any test and just
look like test data, I didn't check, it wouldn't be hard to make a test
that uses them anyway)

So short of deleting all blobs e.g. all test data this wouldn't have
been prevented, just not running tests isn't enough.

In theory it'd be possible to build twice:
- one normal build with test data, and run tests at the end
- a second build without test data (and confirm we've got an identical
binary, builds are reproducible right?!)

But while we might be able to afford the computing cost, I'm not sure
it's worth it -- this attack vector happened to use test data, but there
are plenty of other ways of doing this, and even just identifying /
removing test data in the first place is hard work for packagers (I
guess we could try to detect binary files but there is no end to that
either, and many builds would just break if we were to automatically
remove tests...)


(Anyway, I also think tests bring more benefits than risks in our case)
-- 
Dominique Martinet | Asmadeus
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux