[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-man
Subject:    Release tarballs and security (xz fallout)
From:       Alejandro Colomar <alx () kernel ! org>
Date:       2024-04-09 15:29:16
Message-ID: ZhVe08clpdlkrwpI () debian
[Download RAW message or body]


Hi all!

For context: <https://tukaani.org/xz-backdoor/>

Given the recent XZ vulnerability caught just in time, I wonder if we
should take any action in this project to help the ecosystem.

Some have mentioned that release tarballs are too opaque, and can easily
hide code that's not under git(1) control.  I myself have been feeling
like that for a long time.

I've modified the build system recently so that tarballs should be
reproducible byte-per-byte.  This means that downstream distributors
don't really need to "trust" tarballs signed by me, but they can (and
IMO should) generate them themselves by running `make dist`, and they
should be fine.  Our git tags (and all the commits, BTW) are signed.

Here's my proposal:

Stop distributing release tarballs, and instead ask downstream packagers
to create them themselves by running `make dist`, or even not using
tarballs at all; `make install` from a tarball should be exactly the
same as `make install` from the source repository (IIRC).

Any opinions?

Cheers,
Alex

--=20
<https://www.alejandro-colomar.es/>

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]