From a7f23137c11e2df7c89db320f6b207716e396178 Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Tue, 3 Dec 2024 10:33:27 -0500
Subject: [PATCH] Provide recommendation to counter xz utils style attack
 (#560)

* Provide recommendation to counter xz utils style attack

The malicious attack on the xz utils slipped through many
defenses because the "source" package included pre-generated
malicious code. This meant that review of the source code
(e.g., as seen by git) couldn't find the problem.

This proposes a best practices to counter it. The text is longer
than I'd like, but it's hard to make it short, and this was a
worrying attack so I think it's reasonable to say this.

We'll probably need to renumber this proposal if we also add
the proposed text to counter attacks like polyfill.io:
https://github.com/ossf/wg-best-practices-os-developers/pull/559
... but I think that's okay!

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Fix grammar nit in xz utils response

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Clarify text

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Fix emphasis for markdownlint

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Update docs/Concise-Guide-for-Developing-More-Secure-Software.md

Co-authored-by: j-k <jack@control-plane.io>
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Clarify source package should only include VCS materials

The source package should be a copy or subset of the VCS materials.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Update docs/Concise-Guide-for-Developing-More-Secure-Software.md

Co-authored-by: Jordan Harband <ljharb@gmail.com>
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

---------

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Co-authored-by: j-k <jack@control-plane.io>
Co-authored-by: Jordan Harband <ljharb@gmail.com>
---
 docs/Concise-Guide-for-Developing-More-Secure-Software.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/Concise-Guide-for-Developing-More-Secure-Software.md b/docs/Concise-Guide-for-Developing-More-Secure-Software.md
index f7932a9f..13d0b40b 100644
--- a/docs/Concise-Guide-for-Developing-More-Secure-Software.md
+++ b/docs/Concise-Guide-for-Developing-More-Secure-Software.md
@@ -33,6 +33,7 @@ Here is a concise guide for all software developers for secure software developm
 24. **Continuously improve**. Improve scores, look for tips, & apply as appropriate.
 25. **Manage succession**. Have clear governance & work to add active, trustworthy maintainer(s).
 26. **Prefer memory-safe languages**. Many vulnerabilities involve memory safety. Where practical, use memory-safe programming languages (most are) and keep memory safety enabled. Otherwise, use mechanisms like extra tools and peer review to reduce risk.
-27. **Ensure production websites only load assets from your own domains**. _Linking_ to other domains is fine, but where practical, don't directly load assets such as JavaScript, CSS, and media (including images) from domains you do not control. If you do, your site might be subverted if that other domain is subverted, so investigate the risks before doing so. See the [subverted polyfill.io revelation in 2024](https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack).
+27. **If a source code (unbuilt) package is released, it should only include content from the version control system (VCS), and source package users should rebuild, if needed, to create production (built) package(s)**. E.g., if autotools is used, if a source package is released it should _not_ include a generated `configure` file, while recipients should ignore pre-generated files like `configure` and instead rebuild from source (e.g., with `autoreconf`). This eliminates a malware-hiding mechanism, as illustrated by an attack on [xz utils](https://access.redhat.com/security/cve/CVE-2024-3094).
+28. **Ensure production websites only load assets from your own domains**. _Linking_ to other domains is fine, but where practical, don't directly load assets such as JavaScript, CSS, and media (including images) from domains you do not control. If you do, your site might be subverted if that other domain is subverted, so investigate the risks before doing so. See the [subverted polyfill.io revelation in 2024](https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack).
 
 We welcome suggestions and updates! Please open an [issue](https://github.com/ossf/wg-best-practices-os-developers/issues/) or post a [pull request](https://github.com/ossf/wg-best-practices-os-developers/pulls).