A backdoor in xz

Posted Mar 29, 2024 20:17 UTC (Fri) by excors (subscriber, #95769)
In reply to: A backdoor in xz by ewen
Parent article: A backdoor in xz

GitHub's auto-generated tarballs also have the issue that they don't promise stability, so old releases might unexpectedly get a different checksum (with the same content but different compression etc), which can break build systems: https://lwn.net/Articles/921787/ . GitHub reverted that change, but they still explicitly don't promise long-term stability of archives, and say you should use commit IDs (no checksums) or externally-uploaded release tarballs: https://github.blog/2023-02-21-update-on-the-future-stabi...

A backdoor in xz

Posted Mar 29, 2024 20:37 UTC (Fri) by randomguy3 (subscriber, #71063) [Link]

commit IDs are their own checksum, of course - providing you use git to grab them

A backdoor in xz

Posted Mar 30, 2024 0:21 UTC (Sat) by jdulaney (subscriber, #83672) [Link] (1 responses)

it almost sounds as if github should not be used as a release mechanism

A backdoor in xz

Posted Mar 30, 2024 13:38 UTC (Sat) by smurf (subscriber, #17840) [Link]

You can use github's release mechanism all you like, just be sane about it.

This means that your tarball gets generated by a verified and pinned-down github action and doesn't access external resources. EVER.

While the fact that widely-used libraries like xz still allow developer-supplied release uploads can plausibly be explained (excused, really) with laziness, the line between that and malpractice is a thin one.

Against stupidity, the Gods themselves …