20.01.2025 23:49, Heinrich Schuchardt wrote:
Hello Michael,
I can understand that a maintainer cares about keeping his package buildable
but system security is of even higher importance.
The xz package has demonstrated the security impact of including binaries of
unchecked origin.
Why do we ship *.so files for architectures that can be built from source like
qemu-9.2.0/linux-user/riscv/vdso-64.so?
I don't want to use different source for other systems.
Have you actually checked the build process before filing
this bug report? Are you aware these binaries are *not*
used on debian trixie, but *are* used on ubuntu because
ubuntu does not have separate arch-all build?
Has the security team ever confirmed that shipping binaries in the QEMU source
is ok?
What it has to do with the security team?
/mjt
