On Mon, 2024-04-01 at 23:37 +0200, Kevin Kofler via devel wrote: > Adam Williamson wrote: > > > * Deleting ALL files automatically generated or imported by autotools in > > > %prep, THEN running "autoreconf -i -f". (DO NOT trust autoreconf, it > > > would NOT have done the right thing here. Delete the files, THEN run > > > autoreconf.) > > > > No. This would not have avoided the attack, because it would not have > > regenerated the malicious file. We have already established that. > > Just running autoreconf would not. As I wrote: "DO NOT trust autoreconf, it > would NOT have done the right thing here." Deleting the file with an > explicit rm -f in %prep, and THEN running autoreconf would have regenerated > (reimported, actually, this comes from gnulib and is copied unchanged, but > in any case it would NOT have contained the malicious additions) the file. > > That said, autoreconf needs fixing too, because -f is supposed to regenerate > all files that can be regenerated, which is not happening. But if you > explicitly delete the files before running autoreconf, then it has to > regenerate them no matter what. Sure, but as others posted upthread, this still doesn't help much. To do this you have to know what m4s are 'standard' and will actually be regenerated, and which are custom and you can't wipe them. And then an attacker could just slip in an extra custom one instead of modifying a 'standard' one. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue