A backdoor in xz

Posted Apr 7, 2024 13:16 UTC (Sun) by chestnut (guest, #170772)
In reply to: A backdoor in xz by ewen
Parent article: A backdoor in xz

> For lots of projects building from the automatic git checkout zip is non trivial (eg missing generated things like configure scripts), so at least historically many projects have suggested people ignore the git checkout archive and use the source archive someone uploaded as a release file, that includes extra generated files.

sorry, I'm a beginner and I didn't find anything on google about "many projects have suggested people ignore the git checkout archive and use the source archive someone uploaded as a release file", can you give me some tips? Maybe a source link, and why not upload these scripts to GitHub

A backdoor in xz

Posted Apr 7, 2024 14:54 UTC (Sun) by pizza (subscriber, #46) [Link]

> can you give me some tips?

An example of this is darktable: "As always, please don't use the autogenerated tarball provided by github, but only our tar.xz file."

> and why not upload these scripts to GitHub

They pretty much always are, typically called something like "./bootstrap.sh" . But to generate the distribution tarball, you usually need additional dependencies or tools.

Another example of this is gutenprint; As well as the autotools stuff, the distribution tarballs have a lot of other auto-generated stuff (eg supported printer lists) that would otherwise cause major issues if you are trying to cross-compile things.

In both cases the CI systems auto-generates a release tarball after every commit.