On Mon, Apr 01, 2024 at 09:06:16AM +0900, Dominique Martinet wrote: > Scott Schmit wrote on Sun, Mar 31, 2024 at 05:02:44PM -0400: > > Deleting the tests makes no sense to me either, but it seems like a > > mechanism that ensures the test code can't change the build outputs (or > > a mechanism to detect that it's happened and abort the build) would > > allow upstream tests to be run without compromising the integrity of the > > build itself. > > Just to be clear here that wouldn't have been enough: it's not the test > step that's modifying the binaries, the actual build step is modified in > the right conditions to use data that looks like it belongs to a test > (I've read the actual files aren't actually used in any test and just > look like test data, I didn't check, it wouldn't be hard to make a test > that uses them anyway) > > So short of deleting all blobs e.g. all test data this wouldn't have > been prevented, just not running tests isn't enough. Yep. And since we're talking about xz, note that a second malicious issue has beend found: [1] is a revert of [2] which sabotages CMakeLists.txt to always disable Landlock sandbox. Clearly, the only reasonable solution is to delete all the CMake cruft ;) [1] https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 [2] https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7 Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
