Peter Bocan's little corner

The DevOps look at the XZ security breach

· Peter Bocan

A lot has been written about the XZ exploit from many sides. From the standpoint of the social engineering, the open source community, the mental health awareness, and so on. They all have the kernels of truth in them. Here is a video explainer which explains the whole XZ situation in detail below.

I would like to have a stab at it from a DevOps and security perspective. The XZ project, like many others, still relies on tools like Autoconf and Makefiles.

These tools have been around for decades and they heavily rely on the shell scripting. However, the times have changed significantly and the Internet is no longer a safe place.

On top of that, everybody who had to ever review a somewhat complicated shell script knows that there are days where the shell scripts look like a bunch of meaningless symbols.

One of the possible solutions is to use a build system like Bazel (or other Bazel-like build systems, like Please, Pants or Buck) which makes it clear what is a test file and how it is used in the build pipeline.

Consider the following very simple example, which has two build targets - one which builds the binary called “xz” and the second one which runs the tests using the binary (more information about these build rules can be found here and here).

 1cc_binary(
 2   name = "xz"
 3   srcs = [ "main.c" ],
 4)
 5
 6sh_test( 
 7   name = "unzip_test", 
 8   srcs = ["unzip_test.sh"],
 9   deps = [":xz"],
10   data = glob([
11      "tests/*_in_test.tar.xz",
12      "tests/*_out_test.tar.xz",
13   ]),
14)

This gets rid of the 90+% of the shell scripting, makes the Makefiles obsolete completely and Autoconf can still be integrated with the new build system. On top of that, there are many other benefits, for example, hermeticity and reproducible builds, which improves the security of the builds.

I think these build systems are the future, if you want to be serious about security and preventing the supply-chain attacks in the build step. Something for the wider security, Linux and Unix communities to chew on.

(Another option is to consider using Nix, but I do not have experience with it, so I am including it for the sake of completeness only.)

#security #xz

Reply to this post by email ↪