hello, here my opinion ... I followed the xz hack and the main problem (in my view) is that the person (tried or go) write access to the git archive. In that case it is game over. Normaly i run a tar vtzf BEFORE i install a tarball (more to make sure that they will produce a directory and do not spill everything in my home). That is be no means perfect but it helps a bit. For the man-page project i can imagine a 2 tarball solution. One for the pages, and one for anything executeable, so i can use an older/trusted version of an installer, but again an "evil maintainer"-attack is - as any suply-chain-attack - hard to notice and even harder to prevent. YM2C wh ________________________________________ Von: Alejandro Colomar <alx@xxxxxxxxxx> Gesendet: Dienstag, 9. April 2024 17:29:16 An: linux-man@xxxxxxxxxxxxxxx Betreff: Release tarballs and security (xz fallout) Hi all! For context: <https://tukaani.org/xz-backdoor/> Given the recent XZ vulnerability caught just in time, I wonder if we should take any action in this project to help the ecosystem. Some have mentioned that release tarballs are too opaque, and can easily hide code that's not under git(1) control. I myself have been feeling like that for a long time. I've modified the build system recently so that tarballs should be reproducible byte-per-byte. This means that downstream distributors don't really need to "trust" tarballs signed by me, but they can (and IMO should) generate them themselves by running `make dist`, and they should be fine. Our git tags (and all the commits, BTW) are signed. Here's my proposal: Stop distributing release tarballs, and instead ask downstream packagers to create them themselves by running `make dist`, or even not using tarballs at all; `make install` from a tarball should be exactly the same as `make install` from the source repository (IIRC). Any opinions? Cheers, Alex -- <https://www.alejandro-colomar.es/>
