Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

bug-standards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

From:	dherring
Subject:	Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Date:	Sat, 30 Mar 2024 19:03:48 -0400
User-agent:	Roundcube Webmail/1.4.3

On 2024-03-30 18:25, Bruno Haible wrote:

Eric Gallager wrote:


Hm, so should automake's `distcheck` target be updated to perform
these checks as well, then?


The first mentioned check can not be automated. ...

The second mentioned check could be done by the maintainer, ...

I agree that distcheck is good but not a cure all. Any static systemcan be attacked when there is motive, and unit tests are easily gamed.

With a reproducible build system, multiple maintainers can "make dist"and compare the output to cross-check for erroneous / malicious distenvironments. Multiple signatures should be harder to compromise,assuming each is independent and generally trustworthy.

Maybe GNU should establish a cross-verification signing standard and"dist verification service" that automates this process? Point it to arepo and tag, request a signed hash of the dist package... Thendownstream projects could check package signatures from both themaintainer and such third-party verifiers to check that nothing wasinserted outside of version control.


-- Daniel

[Prev in Thread]

Current Thread

[Next in Thread]

GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Karl Berry, 2024/03/30
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/03/30
  - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/03/30
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/03/30
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, dherring <=
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jose E. Marchesi, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Tomas Volf, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Russ Allbery, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Peter Johansson, 2024/03/31
    - Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/03/31
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Alexandre Oliva, 2024/03/30

Prev by Date: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Next by Date: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Previous by thread: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Next by thread: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Index(es):
- Date
- Thread