On 2023-04-12 at 08:00:19, Jeff King wrote: > There's an interesting question raised in an issue in the git-scm.com > repo that I think would benefit from input from community folks here. > > The link is: > > https://github.com/git/git-scm.com/issues/1774#issuecomment-1504829495 > > but the tl;dr is: > > From a supply chain perspective, what are our criteria for linking to > a third party's pre-built binaries from git-scm.com? I think we should ideally suggest distribution binaries where those are autobuilt and the distributor is complying with the license. For macOS, Apple is providing their own binaries, and if people want more up-to-date versions, we could suggest Homebrew. For Linux and BSD systems, that would be pointing people to their OS distributor. For Windows, I think most people are going to use Git for Windows and I don't believe Microsoft is providing its own binaries as part of the OS. I believe Git for Windows is autobuilt using CI. > Obviously we don't want to point people at malicious or trojaned > binaries. But we probably also bear some responsibility for making sure > the third party has reasonable security practices themselves. This is why I suggested autobuilt binaries only. Typically OS distributors have some sort of reasonably well secured autobuild infrastructure. I think it's safe to assume major distros have secured their autobuild infrastructure unless we've seen evidence to the contrary, because otherwise we'd need to be security auditors, which I don't want to be. Note that I wouldn't object if the binaries are manually signed (say, because the key lives on a human's security key), but I feel like that's practically unlikely for most OS distributors. If we have evidence that people are not complying with the license, then we should refuse to link to those binaries and not recommend that as a trusted source. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
