On Fri, 05 Apr 2024 16:45:40 +0200 Mark Wielaard <m...@klomp.org> wrote: > > Hi Matheus, > > On Thu, 2024-04-04 at 16:56 -0300, Matheus Tavares Bernardino wrote: > > BTW, just out of curiosity, since the last incident with xz's backdoor > > (which apparently involved malicious code disguised as a test binary), > > has the elfutils community already considered using something like > > Dockerfiles to generate the tests/*.ko.bz2 binaries instead of checking > > than in the git repo? Just something that crossed my mind while I was > > developing these patches. > > [...] > In the xz-backdoor case it was actually hidden in a test binary which > wasn't actually used in the testsuite. So that is certainly something > to watch out for. Does someone add a binary file for no good reason? > Also this seems to be a somewhat sophisticated hack and the would > probably found some other way to hide something.
Good point :) > Another would be what you suggest. Create containers for all arches > supported and (re)generate all test binaries in that container. But > that would be a lot of containers and for some arches you like to have > different versions of the tools to generate them. And can that be done > for all arches? e.g. Does hexagon have qemu support? It does :) But I was actually thinking about using the containers to cross-build the binaries, like we do for the QEMU tests. E.g. https://github.com/qemu/qemu/blob/master/tests/docker/dockerfiles/debian-hexagon-cross.docker Nonetheless, yeah, that will be a lot of containers, and a significant ammount of work.
