|
From: | Ekaitz Zarraga |
Subject: | Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) |
Date: | Thu, 4 Apr 2024 22:32:10 +0200 |
Hi, I just want to add some perspective from the bootstrapping. On 2024-04-04 21:48, Attila Lendvai wrote:
all in all, just by following my gut insctincts, i was advodating for building everything from git even before the exposure of this backdoor. in fact, i found it surprising as a guix newbie that not everything is built from git (or their VCS of choice).
That has happened to me too. Why not use Git directly always?In the bootstrapping it's also a problem, as all those tools (autotools) must be bootstrapped, and they require other programs (compilers) that actually use them. And we'll be forced to use git, too, or at least clone the bootstrapping repos, git-archive them ourselves and host them properly signed. At least, we could challenge them using git (similar to what we do with the substitutes), which we cannot do right now with the release tarballs against the actual code of the repository.
In live-bootstrap they just write the build scripts by hand, and ignore whatever the ./configure script says. That's also a reasonable way to tackle the bootstrapping, but it's a hard one. Thankfully, we are working together in this Bootstrapping effort so we can learn from them and adapt their recipes to our Guix commencement.scm module. This would be some effort, but it's actually doable.
Hope this adds something useful to the discussion, Ekaitz
[Prev in Thread] | Current Thread | [Next in Thread] |