[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: backdoor injection via release tarballs combined with binary artifac
|
From: |
Ludovic Courtès |
|
Subject: |
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) |
|
Date: |
Fri, 12 Apr 2024 22:42:26 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi!
Andreas Enge <andreas@enge.fr> skribis:
> Am Wed, Apr 10, 2024 at 03:57:20PM +0200 schrieb Ludovic Courtès:
>> I think we should gradually move to building everything from
>> source—i.e., fetching code from VCS and adding Autoconf & co. as inputs.
>
> the big drawback of this approach is that we would lose maintainers'
> signatures, right?
Yes. But as Attila wrote, one can hope that they provide a way to
authenticate at least part of their VCS history, for example with signed
tags. (Ideally everyone would use ‘guix git authenticate’ of course.)
> Would the suggestion to use signed tarballs, but to autoreconf the
> generated files, not be a better compromise between trusting and
> distrusting upstream maintainers?
IMO starting from an authenticated VCS checkout is clearer.
Ludo’.
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), (continued)
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Andreas Enge, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/11
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Skyler Ferris, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Skyler Ferris, 2024/04/14
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Skyler Ferris, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ludovic Courtès, 2024/04/19
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai, 2024/04/12
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils),
Ludovic Courtès <=
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ricardo Wurmus, 2024/04/04
Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Jan Wielkiewicz, 2024/04/05