On 3/30/24 12:34, Genes Lists wrote:
On Fri, 2024-03-29 at 18:55 +0000, Arch Linux: Recent news updates:
David Runge wrote:
TL;DR: Upgrade your systems and container images **now**!
<snip> Question:
--------
Would it make sense, therefore, to switch builds, where possible, away
from tar files and instead pull directly from git source (signed tags
where possible as usual etc)? Of course a git repo can also carry
infections - perhaps taht's a little less likely.
Or is this not worth the trouble?
I have public servers -- so was quite terrifying. However, the consensus was
that Arch was never vulnerable given that the .m4 script is not used in the
PKGBUILD and is limited to use in .deb or .rpm packaging. (that's to say the
compromised test files are present, but not invoked to inject themselves into
the library as part of the build)
The lack of freak-out by Allan was the most comforting aspect. Long
discussion, frustrating abundance of "opinions" and light on "concrete facts",
but worth the read on just how Arch handles xz:
https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2
--
David C. Rankin, J.D.,P.E.
