20.01.2025 23:53, Michael Tokarev wrote:
20.01.2025 23:49, Heinrich Schuchardt wrote:
Hello Michael,
I can understand that a maintainer cares about keeping his package buildable
but system security is of even higher importance.
The xz package has demonstrated the security impact of including binaries of
unchecked origin.
Why do we ship *.so files for architectures that can be built from source like
qemu-9.2.0/linux-user/riscv/vdso-64.so?
I don't want to use different source for other systems.
Have you actually checked the build process before filing
this bug report? Are you aware these binaries are *not*
used on debian trixie, but *are* used on ubuntu because
ubuntu does not have separate arch-all build?
Just so you know: I was about to drop these binaries in debian
qemu 9.2 source package, - exactly because these are not used
on debian (they're used in bookworm-backoprts only) but didn't
dropped these *because* of ubuntu who's using them.
/mjt
