A smaller, more trustable tarball

Posted Mar 24, 2025 9:57 UTC (Mon) by epa (subscriber, #39769)
In reply to: A smaller, more trustable tarball by farnz
Parent article: Julien Malka proposes method for detecting XZ-like backdoors

Yes, package build scripts are often gold-plated, pulling in every dependency you might need for the full test suite and every optional feature. I guess you could define autoconf-mini autoconf-maxi package names (such that autoconf-maxi provides autoconf-mini) and depend only on the mini one if possible.

A smaller, more trustable tarball

Posted Mar 24, 2025 10:36 UTC (Mon) by farnz (subscriber, #17727) [Link]

You could gold-plate the system further, and only have a single autoconf package that knows how to self-update as more dependencies are installed. Then, you install autoconf with minimal dependencies; you install xz, gccgo, erlang and other dependencies, then update autoconf to pick up the newly available dependencies, which triggers a rebuild not just of autoconf itself, but also anything that depended on the old build of autoconf.

The hard part of such a system is determining the minimum set of builds needed for everything to work; you don't want to keep rebuilding autoconf when you can wait for more packages to be installed safely. But that's a mix of a hard metadata problem (if I need autoconf that supports erlang, I must declare that I depend on erlang) and a solved graph theory problem (extracting a build tree from a dependency graph, given rebuilds).