On Thu, Apr 04, 2024 at 01:26:14PM +0000, Arnie T via devel wrote: > Hi, > > I just installed Fedora on 2 of my PCs a couple of weeks ago. One version of Fedora 39 release and one of Fedora 40 to see where things are going. > > I learned about this XZ-hack from Ars Technica & The Economist. > > I got to the Fedora Magazine article and wasn't really clear on that. > > So I followed the discussion to this thread in this Development mailing list. > > I read a lot of it but _still_ can't 100% figure out what the final solution is going to be. There's no 'solution' really... there's a lot of discussion around what we can improve at the distro level, what we can urge upstreams to do, how we can help out more, etc. I'm hopeful some things will come out of this as it's a chance for us to look at our processes and improve them. > I have a question about that. > > I'm for sure OK that a responsibly developed FOSS project can contribute value and should be welcomed. > > ISTM that if a package is used on critical-path or security-path by default in a Distro it needs a higher bar. > > IIUC from this thread and online discussions about XZ & alternatives that > > 1] Lack of committer 'Real' identity confidence and verification is a problem. IMHO this isn't a problem. We don't have a right to demand anything from open source projects. We can ask, we can urge, we can contribute and change things, we can choose to not use something, or fork something. > 2] Undetected differences source + packaging in repo vs tarballs are unchecked. Yeah, a lot of the discussion has been in this area. I'm wondering if perhaps we shouldn't revisit source-git, or at least a variant of it where we keep the upstream sources in a branch always and apply packaging on top of that and build from there. > 3] Under-resourced development creates risk; 'Many eyes' bench depth in development is needed. Yep. I think also visibility of changes can be improved. So, maintainers know more about whats in a new version and how it works. <snip moving from xz to zstd, which has been discussed downthread a bunch already> kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue