On Mon, 8 Jul 2024 13:36:36 GMT, Andrew Haley <a...@openjdk.org> wrote:
> There is something that makes me nervous. The big slab of preprocessed code > in libvectormath/sleefinline_rvvm1.h is problematic. Firstly, in all open > source software the code should be the preferred form: > > "The source code must be the preferred form in which a programmer would > modify the program. Deliberately obfuscated source code is not allowed. > Intermediate forms such as the output of a preprocessor or translator are not > allowed." https://opensource.org/osd > > Also, any such intermediate form is a golden example of a vector in which to > hide something nasty. No one is going to read that file, and a malicious > person with access to the JDK source base, either in our own github repo or > in many other places downstream of OpenJDK could hide all manner of thing. In > its form in this PR it's no better than checking in a binary. See > https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ > > I'd look at including the SLEEF source code, along with a script which > generates the preprocessed form we use in the JDK build, so that more > paranoid JDK builders can regenerate the preprocessed code. > > Of course, I cannot be sure that my fellow reviewers will agree, but I think > it's the right thing to do. While I agree with you in principle, we chose to import Sleef this way for practical reasons. (The actual importing of Sleef is happening in https://github.com/openjdk/jdk/pull/19185 / [JDK-8329816](https://bugs.openjdk.org/browse/JDK-8329816).) The "preprocessing/code-generation" part of the Sleef build was considered too complex to reasonably replicate in the OpenJDK build system. Sleef is built using Cmake and we do not want to add a build dependency on Cmake and call out to a foreign build system at build time, for efficiency and complexity reasons. JDK-8329816 comes with a script to automatically generate the imported source files, to make it easy to update Sleef in the future. It should also be easy enough to verify the imported contents using the same script for anyone who wants to check the validity of the import step. ------------- PR Comment: https://git.openjdk.org/jdk/pull/18605#issuecomment-2214172864
