Release tarballs and security (xz fallout)

Linux-man Archive mirror
 help / color / mirror / Atom feed

From: Alejandro Colomar <alx@kernel.org>
To: linux-man@vger.kernel.org
Subject: Release tarballs and security (xz fallout)
Date: Tue, 9 Apr 2024 17:29:16 +0200	[thread overview]
Message-ID: <ZhVe08clpdlkrwpI@debian> (raw)

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

Hi all!

For context: <https://tukaani.org/xz-backdoor/>

Given the recent XZ vulnerability caught just in time, I wonder if we
should take any action in this project to help the ecosystem.

Some have mentioned that release tarballs are too opaque, and can easily
hide code that's not under git(1) control.  I myself have been feeling
like that for a long time.

I've modified the build system recently so that tarballs should be
reproducible byte-per-byte.  This means that downstream distributors
don't really need to "trust" tarballs signed by me, but they can (and
IMO should) generate them themselves by running `make dist`, and they
should be fine.  Our git tags (and all the commits, BTW) are signed.

Here's my proposal:

Stop distributing release tarballs, and instead ask downstream packagers
to create them themselves by running `make dist`, or even not using
tarballs at all; `make install` from a tarball should be exactly the
same as `make install` from the source repository (IIRC).

Any opinions?

Cheers,
Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next             reply	other threads:[~2024-04-09 15:29 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-09 15:29 Alejandro Colomar [this message]
2024-04-10 19:26 ` AW: Release tarballs and security (xz fallout) Walter Harms
2024-04-10 20:02   ` Alejandro Colomar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZhVe08clpdlkrwpI@debian \
    --to=alx@kernel.org \
    --cc=linux-man@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).