I was recently reading about the backdoor announced in xz-utils the
other day, and one of the things that caught my attention was how
(ab)use of the GNU build system played a role in allowing the backdoor
to go unnoticed: https://openwall.com/lists/oss-security/2024/03/29/4
Specifically, what caught my attention was how the release tarball
containing the backdoor didn't match the history of the project in its
git repository. That made me think about automake's `distcheck`
target, whose entire purpose is to make it easier to verify that a
distribution tarball can be rebuilt from itself and contains all the
things it ought to contain. However, as I check the GNU Coding
Standards now, I notice that it doesn't say anything about this
target. I'm wondering if it might be worthwhile to upgrade the
`distcheck` target's prominence to recommend it in the "Standard
Targets for All Users" section of the GCS? Specifically here:
https://www.gnu.org/prep/standards/html_node/Standard-Targets.html#Standard-Targets
Recommending the `distcheck` target to a wider variety of users would
help more projects catch mismatches between things a distribution
tarball is supposed to contain, and things that it isn't. This would
be a win for security and could help make it easier to catch future
possible bad actors trying to pull a similar trick. What do people
think?
Eric Gallager