A smaller, more trustable tarball

Posted Mar 24, 2025 10:36 UTC (Mon) by farnz (subscriber, #17727)
In reply to: A smaller, more trustable tarball by epa
Parent article: Julien Malka proposes method for detecting XZ-like backdoors

You could gold-plate the system further, and only have a single autoconf package that knows how to self-update as more dependencies are installed. Then, you install autoconf with minimal dependencies; you install xz, gccgo, erlang and other dependencies, then update autoconf to pick up the newly available dependencies, which triggers a rebuild not just of autoconf itself, but also anything that depended on the old build of autoconf.

The hard part of such a system is determining the minimum set of builds needed for everything to work; you don't want to keep rebuilding autoconf when you can wait for more packages to be installed safely. But that's a mix of a hard metadata problem (if I need autoconf that supports erlang, I must declare that I depend on erlang) and a solved graph theory problem (extracting a build tree from a dependency graph, given rebuilds).