Re: [GNU-linux-libre] Developing free non-gnu operating systems

[Matias Fonzo]

El 2021-10-10 14:52, Denis 'GNUtoo' Carikli escribió:
> On Fri, 08 Oct 2021 20:42:25 -0300
> Matias Fonzo <selk@dragora.org> wrote:
> > Note, distributing under the xz format sucks![1].  Its competitor in
> > quality offers not only a better license (adequate for free software
> > projects), but is also better prepared for reproducibility[2].
> >
> > [1] http://lzip.nongnu.org/xz_inadequate.html
> > [2] http://lzip.nongnu.org/safety_of_the_lzip_format.html
> Thanks a lot!
>
> I've started reading these and they look really interesting.

Nice, thanks to you for taking the time to read this, and also for 
maintaining Replicant.  :-)

> While modifying linux-libre for Replicant, I've noticed that with Linux
> releases, released tarball are compressed with xz, but that they didn't
> sign them. Instead they signed the uncompressed tarballs.

It is true, as can be read in 
https://www.kernel.org/category/signatures.html

> At first I thought that it was to enable people to change the
> compression level, but now I also wonder if xz shortcoming also
> influenced that decision.

I don't know about this, but I do see that they have a script to 
download verified tarballs[1], which contains an interesting comment 
(lines 151-155):

"
# Before we verify the developer signature, we make sure that the
# tarball matches what is on the kernel.org master. This avoids
# CDN cache poisoning that could, in theory, use vulnerabilities in
# the XZ binary to alter the verification process or compromise the
# system performing the verification.
"

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball

Matías