Re: backdoor injection via release tarballs combined with binary artifac

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: backdoor injection via release tarballs combined with binary artifac

From:	Attila Lendvai
Subject:	Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Date:	Thu, 04 Apr 2024 15:12:47 +0000

> Also, in (info "(guix) origin Reference") I see that Guix packages can have a
> list of uri(s) for the origin of source code, see xz as an example [7]:
> are they intended to be multiple independent sources to be compared in
> order to prevent possible tampering or are they "just" alternatives to
> be used if the first listed uri is unavailable?


a source origin is identified by its cryptographic hash (stored in its sha256 
field); i.e. it doesn't matter *where* the source archive was acquired from. if 
the hash matches the one in the package definition, then it's the same archive 
that the guix packager has seen while packaging.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“We’ll know our disinformation program is complete when everything the American 
public believes is false.”
        — William Casey (1913–1987), the director of CIA 1981-1987

[Prev in Thread]

Current Thread

[Next in Thread]

backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/04
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai <=
  - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/04
- Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/04
  - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Attila Lendvai, 2024/04/04
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/04
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ludovic Courtès, 2024/04/10
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Andreas Enge, 2024/04/11
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/11
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Andreas Enge, 2024/04/11
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Ekaitz Zarraga, 2024/04/11
    - Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils), Giovanni Biscuolo, 2024/04/13

Prev by Date: Re: Coordinators for patch review session on Tuesday
Next by Date: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Previous by thread: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Next by thread: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)
Index(es):
- Date
- Thread