To include NIXPKGS, used in the NIXOS distribution repository, a proposed mode of repeated assemblies allows to identify cases of the backdoors code resembling an incident with the XZ project. The presented protection method allows you to identify modifications in archives with the initial release code that are absent in repositories with the code.
The essence of the method is that the source code of the new version of the application is collected twice – the first time from the code loaded from the GIT re-government, and the second from the code distributed in ready-made archives. If the binary files obtained as a result of assemblies differ, there is a reason for suspicions of hidden modifications in the repository or in an archival file with code.
Recall that in the case of project XZ, the repository with the code did not contain suspicious changes. Backdoors forming malicious components were delivered inside the files used in the test set to verify the correctness of the operator XZ. The backdoor was activated at the assembly system, and the source code XZ coincided with the code from the repository. Automake tools activating the backdoor M4 Macros were included only in the finished archive with the code and were absent in the repository.
The attackers took advantage of the fact that the distributions mainly collect bags, loading the code from finished archives, since when loading the assembly code, you can cost one control amount to check the integrity of the file with the archive and use the mirrors. The main attention when checking the code is focused on the analysis of the contents of the repository, so unobvious differences in the archives cannot always be immediately seen.
To simplify the verification of the conformity of files-archives and cuts of the repository corresponding to releases, some open projects, such as PostgreSQL, introduced the system of repeated archive generation. In this case, tools are provided that allow you to independently assemble its archive from the code that is fully consistent with the finished archive available for loading. If an independently created archive and the archive provided by the main project will differ – there is a compromise of the repository or reference archive.
The problem is that such a method is practiced only in some cases, while many