Once upon a time, Michael Catanzaro <mcatanz...@redhat.com> said: > I agree that running autoreconf on our packages makes sense to start > doing. Still, to avoid this backdoored m4 file, we would have needed > to stop using release tarballs altogether and switch to using git > tags directly instead. That would at least force the malicious > attacker to commit their code to version control, making it slightly > harder to hide the attack.
Using a signed tarball is ideally better than a git tag (it's an extra level of author attestation)... but where both are available, it'd be nice to have a way to denote in the spec file that there are two URLs for the source. In this case, if both URLs were listed and something could be run to automatically fetch and compare them, the attack code would have been flagged. Just because something is public in a git tag doesn't mean somebody else reviewed it and caught an attack (after all, in this case, part of it was committed to git and at least one other maintainer didn't notice anything odd). -- Chris Adams <li...@cmadams.net> -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
