[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: backdoor injection via release tarballs combined with binary artifac
|
From: |
Attila Lendvai |
|
Subject: |
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) |
|
Date: |
Fri, 12 Apr 2024 13:09:04 +0000 |
> > I think we should gradually move to building everything from
> > source—i.e., fetching code from VCS and adding Autoconf & co. as inputs.
>
>
> the big drawback of this approach is that we would lose maintainers'
> signatures, right?
it's possible to sign git commits and (annotated) tags, too.
it's good practice to enable signing by default.
admittedly though, few people sign all their commits, and even fewer sign their
tags.
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Never appeal to a man's "better nature". He may not have one. Invoking his
self-interest gives you more leverage.”
— Robert Heinlein (1907–1988), 'Time Enough For Love' (1973)
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), (continued)
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Andreas Enge, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Andreas Enge, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Skyler Ferris, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Skyler Ferris, 2024/04/14
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Skyler Ferris, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ludovic Courtès, 2024/04/19
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils),
Attila Lendvai <=
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ludovic Courtès, 2024/04/12
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ricardo Wurmus, 2024/04/04
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Jan Wielkiewicz, 2024/04/05