Return-Path: <legal-discuss-return-12807-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id CFFCC200C00
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  4 Jan 2017 04:39:39 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id CE9E5160B46; Wed,  4 Jan 2017 03:39:39 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 24893160B43
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  4 Jan 2017 04:39:38 +0100 (CET)
Received: (qmail 52710 invoked by uid 500); 4 Jan 2017 03:39:37 -0000
Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:legal-discuss-help@apache.org>
List-Unsubscribe: <mailto:legal-discuss-unsubscribe@apache.org>
List-Post: <mailto:legal-discuss@apache.org>
Reply-To: legal-discuss@apache.org
List-Id: <legal-discuss.apache.org>
Delivered-To: mailing list legal-discuss@apache.org
Received: (qmail 52694 invoked by uid 99); 4 Jan 2017 03:39:37 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jan 2017 03:39:37 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 0ABE4C04DB
	for <legal-discuss@apache.org>; Wed,  4 Jan 2017 03:39:37 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level: 
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key)
	header.d=rectangular-com.20150623.gappssmtp.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id J5-7g9-b3Z7G for <legal-discuss@apache.org>;
	Wed,  4 Jan 2017 03:39:35 +0000 (UTC)
Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 60E5C5F30C
	for <legal-discuss@apache.org>; Wed,  4 Jan 2017 03:39:35 +0000 (UTC)
Received: by mail-oi0-f53.google.com with SMTP id b126so530797326oia.2
        for <legal-discuss@apache.org>; Tue, 03 Jan 2017 19:39:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rectangular-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=pPBET51tIYO6bS2Q/Nx6x4P8ddE5OGTieS5Z1FNUr4U=;
        b=iATU/2e23ELDkqgatX93NJQmoJJs5vpfaORNQzYUckBPqwCRjtOUpQ2Yyn4w+IUbOA
         i8H6zHQGliVqmBuJNzC1SQEyFot6GCIDtWCguzItZOorVfQAf7aQcqlrhyhMntfnZfY2
         Mrzb/a//6cu9LlrDxkAYoKWntS+EcVCwgdt1bOK/7mci20Nr+xKFn3MBcXk3rlFn40gO
         PUbzum/b1hHucBDX8qXGIoS5GzGyoJMVNbQCCmnY841sPVwMcAE+58KOukLd4CxMi6Pm
         bVL0F/UDcjkgbPt4aQd5biLE7L6yRbL/TKumnEOJSZ+7aQ+i40KFG6/bzaBXgRBp3F1l
         KJXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=pPBET51tIYO6bS2Q/Nx6x4P8ddE5OGTieS5Z1FNUr4U=;
        b=dmZXJEd5kSo6yJh4a6fT1wQeyrTvvPNnQ7PvfAIbfSdub1aTUUG6j09bRWbi1+WoOJ
         DatsetUf/id6wz1rY/YMymspMg2DECo53kSN6SlK6dS6p2qG0VvAiIy3ewN3p60p8Wi0
         qLIgaL3FP7ht6xL7GUMKv4xsj/MYY7SrqYNZUtQFwLPbZgggnvkUlHwFivRyfyrLRbMZ
         OkhQgjHwBmNQSXg5DVmngrEg+Lp32glWBgMRmvELy/xg60YVhW2xGMrtPcwMSYSnPX8u
         2pVNvSOyvK6Q8f7YrPLlfT4hWDhYpPDEg3L9+lBAThJ+hcEX/8lH1TqVHr30+5swv3Jw
         cMOQ==
X-Gm-Message-State: AIkVDXLp2Ej8cFvoWBNpqERqm7j1TwFdeBJYZxGLNBEAIrZEqm/9+9UN3VQqabSE1NEP3WnMl+c7kQ2Rxmq9zQ==
X-Received: by 10.202.52.212 with SMTP id b203mr26544189oia.99.1483501172317;
 Tue, 03 Jan 2017 19:39:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.80.197 with HTTP; Tue, 3 Jan 2017 19:39:11 -0800 (PST)
X-Originating-IP: [99.46.94.139]
In-Reply-To: <CACLE=7OWV_u6CdYrsJ1exW7f0gcdeG-10-NZqMguYot_jkU1QQ@mail.gmail.com>
References: <CAOqetn_SQQV8z3tD+XtGiBNBXGEmogUbju-2aFAsOQBSROWK2A@mail.gmail.com>
 <531A8CB0-9ABF-4A45-97E6-2871034AC1A1@yahoo.de> <D49117E6.7FC45%aharui@adobe.com>
 <CACLE=7NyMBiDQu9wOxFXNpYHjAiVRYSep8pPdgJq4k78pPetdw@mail.gmail.com>
 <D491217E.7FC9E%aharui@adobe.com> <CACLE=7OWV_u6CdYrsJ1exW7f0gcdeG-10-NZqMguYot_jkU1QQ@mail.gmail.com>
From: Marvin Humphrey <marvin@rectangular.com>
Date: Tue, 3 Jan 2017 19:39:11 -0800
Message-ID: <CAAS6=7g_yDAQQM7HAMJ7=S-aGBfs8_owYOKajVTN3jkfKUDF4g@mail.gmail.com>
Subject: Re: Inclusion of .class files within a Apache Source Release
To: "legal-discuss@apache.org" <legal-discuss@apache.org>
Content-Type: text/plain; charset=UTF-8
archived-at: Wed, 04 Jan 2017 03:39:40 -0000

On Tue, Jan 3, 2017 at 9:57 AM, Romain Manni-Bucau
<rmannibucau@gmail.com> wrote:

> About "no binary" vs "no compiled sources": it leads to the trust or not of
> the downloaded package which is guaranteed - between others - by the signing
> we do of the package, not by the extension (as explained it is easy to
> exploit a .png containing a .class). If you can't trust the signing of the
> source bundle then .class is the least issue you can get I fear so really
> not an issue.

> So concretely I read this thread as "do we trust our signing". If the answer
> is no then I think we have a big problem to solve but I'm not seeing why it
> would be the case at the moment.

Cryptographic signing is an important layer of security, but we need other
layers as well.  There are a number of different attack vectors we are
concerned about with regards to avoiding the distribution of untrusted
compiled code.

Consider the following scenarios (the first is worst):

1. A developer machine may be compromised.
2. A developer may be subject to coercion by organized crime or a state agent.
3. A developer may be malicious.

Deliberately contributing a malicious source code patch to an open source
project and getting it past code review is probably not that hard.  However,
such a contribution produces an audit trail; once the issue goes public, the
contributor will have to explain themselves.  That's extremely risky
for the threat agent and a given contributor could probably pull it off
once at most.

So, we believe that source control in conjunction with PMC review, commit
notifications, etc. is a reasonably good defense against trojan horses in the
form of source code.

However, our defenses weaken when we allow compiled code into our products.
If a developer's machine is compromised and a malicious build tool
installed[1], then compromised object code may end up in the repository with
the contributor and the PMC none the wiser!

Of the places that non-auditable code could show up in a project, the most
damaging would be in a compiled dependency, like a jar file, which is
eventually bundled into a library or executable.  Build or test code is harder
to exploit, but still theoretically a problem.  JPEGs in documentation we are
unlikely to worry over.

From a security standpoint, the ideal is to have everything in auditable
source form.  Sometimes it takes some workarounds for that to happen -- but
it's generally worthwhile.

Marvin Humphrey

[1] Examples of compiler attacks include XCodeGhost from fall 2015 and a
    "trusting-trust" hack on the Delphi compiler in 2009.

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org