On Mon, Apr 01, 2024 at 09:06:16AM +0900, Dominique Martinet wrote:
Scott Schmit wrote on Sun, Mar 31, 2024 at 05:02:44PM -0400:
> Deleting the tests makes no sense to me either, but it seems like a
> mechanism that ensures the test code can't change the build outputs (or
> a mechanism to detect that it's happened and abort the build) would
> allow upstream tests to be run without compromising the integrity of the
> build itself.
Just to be clear here that wouldn't have been enough: it's not the test
step that's modifying the binaries, the actual build step is modified in
the right conditions to use data that looks like it belongs to a test
(I've read the actual files aren't actually used in any test and just
look like test data, I didn't check, it wouldn't be hard to make a test
that uses them anyway)
So short of deleting all blobs e.g. all test data this wouldn't have
been prevented, just not running tests isn't enough.
Yep.
And since we're talking about xz, note that a second malicious issue has
beend found: [1] is a revert of [2] which sabotages CMakeLists.txt
to always disable Landlock sandbox.
Clearly, the only reasonable solution is to delete all the CMake cruft ;)
[1]
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f...
[2]
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644ef...
Zbyszek