Re: backdoor injection via release tarballs combined with binary artifac

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: backdoor injection via release tarballs combined with binary artifac

From:	Giovanni Biscuolo
Subject:	Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Date:	Sat, 13 Apr 2024 08:13:51 +0200

Hello,

Ludovic Courtès <ludo@gnu.org> writes:

> Ekaitz Zarraga <ekaitz@elenq.tech> skribis:
>
>> On 2024-04-04 21:48, Attila Lendvai wrote:
>>> all in all, just by following my gut insctincts, i was advodating
>>> for building everything from git even before the exposure of this
>>> backdoor. in fact, i found it surprising as a guix newbie that not
>>> everything is built from git (or their VCS of choice).
>>
>> That has happened to me too.
>> Why not use Git directly always?
>
> Because it create{s,d} a bootstrapping issue.  The
> “builtin:git-download” method was added only recently to guix-daemon and
> cannot be assumed to be available yet:
>
>   https://issues.guix.gnu.org/65866

This fortunately will help a lot with the "everything built from git"
part of the "whishlist", but what about the not zero occurrences of
"other upstream VCSs"?

[...]

> I think we should gradually move to building everything from
> source—i.e., fetching code from VCS and adding Autoconf & co. as inputs.
>
> This has been suggested several times before.  The difficulty, as you
> point out, will lie in addressing bootstrapping issues with core
> packages: glibc, GCC, Binutils, Coreutils, etc.  I’m not sure how to do
> that but…

does it have to be an "all of nothing" choiche?  I mean "continue using
release tarballs" vs "use git" for "all"?

If using git is unfeaseable for bootstrapping reasons [1], why not
cointinue using release tarballs with some _extra_ verifications steps
and possibly add some automation steps to "lint" to help contributors
and committers check that there are not "quasi-binary" seeds [2] hidden
in release tarballs?

WDYT?

[...]

Grazie! Gio'

[1] or other reasons specific to a package that should be documented
when needed, at least with a comment in the package definition

[2] the autogenerated files that are not pragmatically verifiable

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), (continued)
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ricardo Wurmus, 2024/04/04
  - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/05
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ricardo Wurmus, 2024/04/05
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Jan Wielkiewicz, 2024/04/05

Prev by Date: Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx
Next by Date: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Previous by thread: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Next by thread: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Index(es):
- Date
- Thread