Once upon a time, Michael Catanzaro <mcatanzaro(a)redhat.com> said:
I agree that running autoreconf on our packages makes sense to start
doing. Still, to avoid this backdoored m4 file, we would have needed
to stop using release tarballs altogether and switch to using git
tags directly instead. That would at least force the malicious
attacker to commit their code to version control, making it slightly
harder to hide the attack.
Using a signed tarball is ideally better than a git tag (it's an extra
level of author attestation)... but where both are available, it'd be
nice to have a way to denote in the spec file that there are two URLs
for the source. In this case, if both URLs were listed and something
could be run to automatically fetch and compare them, the attack code
would have been flagged.
Just because something is public in a git tag doesn't mean somebody else
reviewed it and caught an attack (after all, in this case, part of it
was committed to git and at least one other maintainer didn't notice
anything odd).
--
Chris Adams <linux(a)cmadams.net>