guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: backdoor injection via release tarballs combined with binary artifac

From: Ekaitz Zarraga
Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Date: Thu, 11 Apr 2024 14:56:24 +0200 
Hi,

On 2024-04-11 14:43, Andreas Enge wrote:

Hello,

Am Wed, Apr 10, 2024 at 03:57:20PM +0200 schrieb Ludovic Courtès:

I think we should gradually move to building everything from
source—i.e., fetching code from VCS and adding Autoconf & co. as inputs.


the big drawback of this approach is that we would lose maintainers'
signatures, right?

Would the suggestion to use signed tarballs, but to autoreconf the
generated files, not be a better compromise between trusting and
distrusting upstream maintainers?

Andreas
Probably not, because the release tarballs might code that is not present in the Git history and there are not that many eyes checking them. This time it was autoconf, but it might be anything else.
The maintainers' machines can be hijacked too... I think it's just better to obtain the exact same code that is easy to find and everybody is reading.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]