Hi Artem,I disagree that the idea is not appropriate. Ensuring that the tar.gz you are getting is exactly what it is in the git repo reduces a lot of risk. So, it makes a lot of sense to get rid of the practice of distributing tar.gz with pregenerated build scripts not present in the git repo that has not been reviewed, without an audit trail implicit in the git history, and without a clear non-repudiateable authorship. Ignoring them and regenerating them is a step forward.
I bet the JT user would not have been able to put the attack in the git source code without Lasse seeing it, or other developers, or tools eventually seeing it, sooner than if it had been obfuscated in the "release" downloads (as it was).
Regarding the multiple eyes, that is not the goal, but the goal is multiple *skilled* eyes.
At the end of the day, this is not about building a bullet-proof system since that's unrealistic, but a system that makes it very hard by setting up tools and processes that mitigate the risk significantly.
Regards, Carlos. On 3/30/24 12:43, Artem S. Tashkinov via devel wrote:
And of course, would be great to employ all the methods
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
