directory-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU-linux-libre] Developing free non-gnu operating systems


From: Matias Fonzo
Subject: Re: [GNU-linux-libre] Developing free non-gnu operating systems
Date: Sun, 10 Oct 2021 17:23:33 -0300
User-agent: Roundcube Webmail/1.4.11

El 2021-10-10 14:52, Denis 'GNUtoo' Carikli escribió:
On Fri, 08 Oct 2021 20:42:25 -0300
Matias Fonzo <selk@dragora.org> wrote:
Note, distributing under the xz format sucks![1].  Its competitor in
quality offers not only a better license (adequate for free software
projects), but is also better prepared for reproducibility[2].

[1] http://lzip.nongnu.org/xz_inadequate.html
[2] http://lzip.nongnu.org/safety_of_the_lzip_format.html
Thanks a lot!

I've started reading these and they look really interesting.

Nice, thanks to you for taking the time to read this, and also for maintaining Replicant. :-)

While modifying linux-libre for Replicant, I've noticed that with Linux
releases, released tarball are compressed with xz, but that they didn't
sign them. Instead they signed the uncompressed tarballs.

It is true, as can be read in https://www.kernel.org/category/signatures.html

At first I thought that it was to enable people to change the
compression level, but now I also wonder if xz shortcoming also
influenced that decision.

I don't know about this, but I do see that they have a script to download verified tarballs[1], which contains an interesting comment (lines 151-155):

"
# Before we verify the developer signature, we make sure that the
# tarball matches what is on the kernel.org master. This avoids
# CDN cache poisoning that could, in theory, use vulnerabilities in
# the XZ binary to alter the verification process or compromise the
# system performing the verification.
"

[1] https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball

Matías




reply via email to

[Prev in Thread] Current Thread [Next in Thread]