On 1/20/25 21:29, Michael Tokarev wrote:
20.01.2025 23:22, Heinrich Schuchardt wrote:
Package: qemu-system-riscv
Version: 1:9.2.0+ds-5
Severity: nomal
The https://salsa.debian.org/qemu-team/qemu contains pre-built binaries.
Binaries should always be built from source.
What's the point in filing this bug report?
Do you have a solution for this, which works on bookworm too?
Hint: there's no loong64 cross-compiler in bookworm.
Thanks,
/mjt
Hello Michael,
I can understand that a maintainer cares about keeping his package
buildable but system security is of even higher importance.
The xz package has demonstrated the security impact of including
binaries of unchecked origin.
Why do we ship *.so files for architectures that can be built from
source like qemu-9.2.0/linux-user/riscv/vdso-64.so?
Has the security team ever confirmed that shipping binaries in the QEMU
source is ok?
Best regards
Heinrich
