Open solofoA45 opened 7 months ago
Here are some starting points and initial thoughts.
This should tie into the Usage : Security documentation since some issues can be mitigated or bypassed using a tight configuration.
The closest thing we have to an overview of the dependencies is here: https://github.com/Xpra-org/xpra/blob/master/docs/Build/Dependencies.md (and includes some pretty diagrams)
The MacOS builds are by far the easiest to track since we define and build every single library ourselves.
The list can be found by checking out the build repository at the date matching that of the release:
https://github.com/Xpra-org/gtk-osx-build
There are a few extra packages in there that are only used on MacOS for packaging (ie: xar
, etc), those are not shipped.
The full MSYS2
package list on the build system at time of writing has 179 packages:
$ pacman -Qe | wc -l
179
There are also python dependencies which do not have corresponding MINGW packages and are installed via pip: https://github.com/Xpra-org/xpra/blob/15bce9d2ec162ce4984c86aa4279ea2218445194/packaging/MSWindows/SETUP.sh#L38-L42 Then there are also some manual steps: https://github.com/Xpra-org/xpra/blob/15bce9d2ec162ce4984c86aa4279ea2218445194/packaging/MSWindows/SETUP.sh#L46 for:
There can be many reasons why some packages are not updated as regularly as others:
setuptools
, zeroconf
pip
): pip3 list --outdated
pyu2f
): should we remove them?libyuv
: google repository with no actual releases - who really knows what's going on there?Some issues are magnified in 3.1:
libwebp
and libvpx
, RHEL 7 does not):
libjpeg-turbo
: probably has CVEs against itlz4
+ python-lz4
: python wrapper abandoned python2.. v2.2.1 is the last version that can be built for python2python-pillow
stuck on 6.2.2On the whole, I don't think that it is reasonable to expect the 3.1.x to have the same level of maintenance as current versions. CUDA
We should probably split the dependencies into categories - this is probably too many:
gcc
though libgcc
might be?, bash
, etc)libtiff
CVE was for an executable we do not include, not the libtiff
library we do ship)--video-decoders=none
)GTK
, cairo
, etc)lz4
, rencodeplus
, python
interpreter.
etc.The MS Windows dependencies can be recorded in xpra/build_info.py
.
We can get most of the packages from pacman
- and perhaps trim most of the build time dependencies as those aren't very relevant?
The python pip
dependencies are going to be a pain.
This seems relevant: Understanding the NSA’s latest guidance on managing OSS and SBOMs
Both MacOS and MS Windows builds will now record the libraries and python modules present on the build system when the installer is generated. This will include dependencies we don't really care about: build tools, libraries we don't bundle, etc. But it is safer to record too much than too little, and filtering was hard and would also have required constant fine tuning.
The feature for the html5 client is now tracked here: https://github.com/Xpra-org/xpra-html5/issues/277
Next up:
pip3 freeze
output - what is the checksum for?https://pypi.org/pypi/$PROJECT/json
Another tricky one to handle is pdfium-binaries releases - this release page does show a line that says something like "This version was built with branch chromium/6337 of PDFium".
The archive containing the DLL we need also contains a VERSION
file:
$ cat pdfium/VERSION
MAJOR=124
MINOR=0
BUILD=6337
PATCH=0
The easiest way might be to create a "fake" pacman PKGBUILD
for it.
The new script that I am working on would flag:
liblzma-5.dll
as belonging to /mingw64/bin/liblzma-5.dll is owned by mingw-w64-x86_64-xz 5.6.1-2
.
(current DLL should be fine but it was previously owned by the vulnerable version of xz-utils: 5.6.1-1
)
Fixed in: https://github.com/msys2/MSYS2-packages/commit/eb7abbb627d1ccfc5a3a6ca31b98150ee733c366 First vulnerable version was added in: https://github.com/msys2/MSYS2-packages/commit/d153a0914cd45d74acae8a3ade74d0b0d8df5ec6 So any builds between 2024-02-25 and today are shipping the vulnerable library.
On the plus side, the exploit seems to target a specific function in openssh - with glibc, and we don't use openssh by default, and no glibc, and not as a server... So no need to panic.
Good links on the subject:
Forgot another packages missing from MSYS2 that we should contribute upstream:
https://github.com/Xpra-org/xpra/blob/79d8e18dc7544d019bef79374b0bdd51c6d42723/packaging/MSWindows/SETUP.sh#L70
Trivial to install: meson build && ninja install
.
cyclonedx-python-lib: This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents.
For security and compliance concerns, it would be good to have a list of dependencies for example to assess which security vulnerabilities affect Xpra: https://en.wikipedia.org/wiki/Software_supply_chain
While this is rather clear for linux (RPM) packages, this is less clear for windows packages and HTML5 client packages.
Is there already a way to get these informations?