blob: b29c9ed2269caf1d1d3a0e3d3329c54dc7bc0ffa [file] [log] [blame] [edit]
#!/bin/bash -eu
# Copyright 2023 The Wuffs Authors.
#
# Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
# https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
# <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
# option. This file may not be copied, modified, or distributed
# except according to those terms.
#
# SPDX-License-Identifier: Apache-2.0 OR MIT
# ----------------
# This script fetches xz's tests/files suite.
if [ ! -e ../../wuffs-root-directory.txt ]; then
echo "$0 should be run from the Wuffs test/3pdata directory."
exit 1
fi
# Check out a specific commit (from February 2024).
#
# ---
#
# The remaining comment below was written on 2024-04-05.
#
# YYYY-MM-DD dates might appear off by one, due to timezones.
#
# ---
#
# The nigeltao/xz-tests-files repository is a mirror of binary data (test
# files). It combines test files from two git repositories:
#
# - https://github.com/tukaani-project/xz
# - https://www.nongnu.org/lzip/
#
# ---
#
# The https://github.com/tukaani-project/xz git repository (a mirror of the
# canonical xz repository) was recently taken offline. It was compromised and
# contains a backdoor:
#
# - https://www.openwall.com/lists/oss-security/2024/03/29/4
#
# The canonical xz git repository is still online at:
#
# - https://git.tukaani.org/?p=xz.git
#
# ---
#
# As of nigeltao/xz-tests-files's 6e0194063a6dc205d4db35e307778efe1c9f1875,
# that repo's mirroring of the xz repo's tests/files directory was most
# recently updated by d082a076f3e1da05aa478eac4bbba24744b3a1c0 on 2024-02-13,
# the commit immediately prior to 6e0194063a6dc205d4db35e307778efe1c9f1875:
#
# - https://github.com/nigeltao/xz-tests-files/commit/d082a076f3e1da05aa478eac4bbba24744b3a1c0
# - https://github.com/nigeltao/xz-tests-files/commit/6e0194063a6dc205d4db35e307778efe1c9f1875
#
# ---
#
# nigeltao/xz-tests-files at 6e0194063a6dc205d4db35e307778efe1c9f1875 does
# *not* contain the known-to-smuggle-malicious-payloads test files committed by
# Jia Tan on 2024-02-23 and 2024-03-09. It also excludes Jia Tan's possibly
# harmless update to the RISC-V test files (also on 2024-03-09). Specifically,
# nigeltao/xz-tests-files does not contain these five files:
#
# - tests/files/bad-3-corrupt_lzma2.xz
# - tests/files/bad-dict_size.lzma
# - tests/files/good-2cat.xz
# - tests/files/good-large_compressed.lzma
# - tests/files/good-small_compressed.lzma
#
# They were added and updated to the xz repo by Jia Tan in:
#
# - https://git.tukaani.org/?p=xz.git;a=commit;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
# - https://git.tukaani.org/?p=xz.git;a=commit;h=6e636819e8f070330d835fce46289a3ff72a7b89
#
# The possibly-harmless RISC-V test files update was:
#
# - https://git.tukaani.org/?p=xz.git;a=commit;h=0b4ccc91454dbcf0bf521b9bd51aa270581ee23c
#
# ---
#
# nigeltao/xz-tests-files does admittedly contain these two files:
#
# - tests/files/good-1-riscv-lzma2-1.xz
# - tests/files/good-1-riscv-lzma2-2.xz
#
# They were added and updated to the xz repo by Jia Tan on 2024-01-22 and
# 2024-01-23 (and 2024-03-09, as mentioned above, but that's excluded):
#
# - https://git.tukaani.org/?p=xz.git;a=commit;h=e2870db5be1503e6a489fc3d47daf950d6f62723
# - https://git.tukaani.org/?p=xz.git;a=commit;h=3060e1070b2421b26c0e17794c1307ec5622f11d
#
# These two files (before or after the 0b4ccc91454dbcf0bf521b9bd51aa270581ee23c
# 2024-03-09 excluded update) are not believed to be malicious.
git clone --quiet https://github.com/nigeltao/xz-tests-files.git
cd xz-tests-files
git reset --quiet --hard 6e0194063a6dc205d4db35e307778efe1c9f1875
cd ..
# Trim the git metadata.
rm -rf xzsuite
rm -rf xz-tests-files/.git
mv xz-tests-files xzsuite