You are not logged in.
- Topics: Active | Unanswered
#1 2024-05-14 18:20:46
- lquidfire
- Member
- From: South Africa
- Registered: 2017-07-26
- Posts: 69
[SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
Hi all,
I recently adopted this package (eid-mw) in AUR.
In a comment of May 8th, it was suggested that 'autoreconf' be run, somehow related to the "xz-backdoor debacle".
I asked for a clarification, but have not received one yet. Perhaps someone here can enlighten me? I prefer to understand suggestions for modifications to the PKGBUILD.
Thank you in advance!
Last edited by lquidfire (2024-05-16 06:18:21)
Offline
#2 2024-05-14 18:47:17
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,765
Re: [SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
Regenerating the GNU Build System files from their inputs would remove any `hidden` code in those files which did not originate from their inputs. https://aur.archlinux.org/cgit/aur.git/ … cf5a5e0243 indicated the former maintainer only believed configure needed to be regenerated without providing a rationale for that.
Last edited by loqs (2024-05-14 19:07:56)
Offline
#3 2024-05-14 19:04:00
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 11,808
Re: [SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
The way the trigger was inserted into the xz lib was that a line was added to an m4 macro file while creating the tarball, never committed to the public repo. The request is a somewhat clumsy attempt to prevent things like that, although it would only work if the configure script had been modified directly and wouldn't have made a difference in the xz case.
Offline
#4 2024-05-14 19:40:06
- lquidfire
- Member
- From: South Africa
- Registered: 2017-07-26
- Posts: 69
Re: [SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
@loqs: That former maintainer was I. I followed the given advice. Then I thought: I have no idea how this helps or if it does not do anything unexpected, so I better revert and find out if this is a sensible thing to do.
Do I understand correctly that:
1) It is okay to run the autoreconf in this case;
2) It is not specific to this package, but the suggestion would apply to all packages that use autotools?
3) It is not to prevent a problem with xz, but a possible similar issue that could arise with eid-mw? (see also point 2)?
4) Would you suggest I add the autoreconf, and leave it there? Indefinitely?
Thank you for your swift replies!
Last edited by lquidfire (2024-05-14 19:41:04)
Offline
#5 2024-05-14 20:37:47
- seth
- Member
- Registered: 2012-09-03
- Posts: 54,566
Re: [SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
Yes, yes, yes and your call - you add more dependencies and build time/pitfalls, but don't forget that malware is malicious.
This focuses on a specific way how malicious code **could** be injected (that has not even been the actual vector in the xz case).
You're not "making it safe" this way, you're closing a window - but if you don't trust upstream, there're a couple of barn doors wide open.
Offline
#6 2024-05-14 21:19:36
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,765
Re: [SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
1) It is okay to run the autoreconf in this case;
Provided the inputs are compatible with the version of autotools you are using it should not break the build. To emphasize seth's point if no one is looking at any of the inputs be it configure or what is used to generate configure then how does changing the inputs result in improved security?
Offline
#7 2024-05-15 13:19:58
- lquidfire
- Member
- From: South Africa
- Registered: 2017-07-26
- Posts: 69
Re: [SOLVED] Explainer needed: Autoreconf recommended to prevent malware?
Thank you all for your input.
I have modified the PKGBUILD slightly, leaving the prepare() block, but completely disabled. I added a comment that I hope is helpful for those who build this package (comments welcome).
The package does build fine with the 'autoreconf' enabled. It spits out a couple of warning about deprecated macros, but it builds.
When I tried to update some deprecated macros via a patch file (diff after having run 'autoupdate'), the package would not build anymore. A whole lot of text was added to "configure" (I did a diff on the configure-with-patch and configure-without-patch), and there appears to be some issue with this newly inserted text. I am definitely treading on new territory here, so I left this out of the PKGBUILD for now (I thought it would be kind to send a PR to upstream, but then it does have to work, of course).
I had applied the following patch file via 'patch -p1 -i "${srcdir}"/configure.ac.patch' in "prepare()":
--- eid-mw-5.1.18-v5.1.18/configure.ac~ 2024-05-06 13:16:33.187750286 +0200
+++ eid-mw-5.1.18-v5.1.18/configure.ac 2024-05-15 14:10:42.764925810 +0200
@@ -1,7 +1,8 @@
AC_PREREQ([2.61])
AC_INIT([eid-mw],
m4_esyscmd_s(scripts/build-aux/genver.sh),
- [servicedesk@fedict.be],,
+ [servicedesk@fedict.be],
+ [],
[http://eid.belgium.be])
AC_CONFIG_AUX_DIR([scripts/build-aux])
@@ -22,8 +23,11 @@
defined. Please install the autoconf-archive package.])])
AX_CXX_COMPILE_STDCXX_11()
AC_PROG_CPP
-AC_PROG_CC_C99
-AC_PROG_LIBTOOL
+m4_warn([obsolete],
+[AC_PROG_CC_C99 is obsolete; use AC_PROG_CC
+])dnl
+AC_REQUIRE(AC_PROG_CC)
+LT_INIT
AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_MKDIR_PLast edited by lquidfire (2024-05-15 13:32:51)
Offline