[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Should we stop distributing source tarballs?
From:       Tobias Leupold <tl () stonemx ! de>
Date:       2024-04-05 7:04:14
Message-ID: 9f88c7ba-c2d1-4565-b04f-ad6a8fe3fa6f () stonemx ! de
[Download RAW message or body]

Am 05.04.24 um 06:25 schrieb Juraj Oravec:
> On streda 3. apríla 2024 18:34:04 CEST Albert Vaca Cintora wrote:
>> Hi KDE folks,
>>
>> The recent xz backdoor scandal made me realize how bad and obsolete
>> distributing tarballs is. The source of truth for our code are the
>> repositories, and releases can simply be tags on those repos.
>>
>> As a big free software community, I think we should lead by example
>> and get rid of tarballs altogether (as I hope to see in other projects
>> as well) after the recent events.
>>
>> Packagers can git pull.
>>
>> If we ever replace git with something else, that something else will
>> have tags as well.
>>
>> What's the advantage of providing tarballs?
>>
>> Albert
> 
> Hello Albert,
> 
> The release tarballs can be signed with GPG (or is it PGP?) which
> provide another layer of protection to make sure the release is
> authenthic.
> 
> If KDE wants to lead by example and use only git tags for releases, at
> least the tags should be signed with GPG for verification.
> 
> It would be best to have all commits in the repository signed (in Gitlab
> "Verified"). While we are unable to make sure that the historical commits
> are also signed, since most of them are not, at least new commits and
> tags should be signed. Maybe the commits can be signed retrospectively
> (while breaking the repository history), but this is probablôy just my
> dream.

If all commits in the xz repo would have been signed, the backdoor would 
have been sneaked in as well -- only that the commit would have been 
signed. Also if the tags would have been signed, the releases with the 
backdoor would have been published exactly as is -- only difference: The 
respective tags would have been signed.

Just sayin ...

> With modern approach for "reproducible" builds in the Linux
> distributions, it is required to provide a way to make sure that the
> release is authentic, the tarballs allows that, but with current use of
> git tags we do not even provide a way to make sure the tag was made by
> trusted developer or a release team, iinstead the tag could be faked by
> anyone providing another way of entry.
> 
> Have a nice day.
> Juraj
[prev in list] [next in list] [prev in thread] [next in thread]