On Mon, Mar 31, 2025 at 07:59:50PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > To expand on this one: it is true that the untrustworthy maintainer > would have been able to add files to git too. But it is also true that > people may much closer attention to the git commits than to the tarball.
In addition if you have a local checkout, it is hard for someone to manipulate the upstream git history (commits or tags) in a way that won't be easily noticed when you later re-pull latest objects. This gives more confidence in the archives, even if the archives themselves are unsigned. > In fact, unless people get suspicious or something is broken, almost > nobody analyses tarballs, in particular if they are *not* equivalent > to 'git archive', but contain local irreproducible modifications, as > is the case with autoconf scripts. Using the output from 'git archive' > is better because it is easier to inspect. In hindsight I'm pretty amazed that managed to get into a situation where it was thought it was acceptable to be shipping auto-generated shell scripts which can be MB in size, and are blindly run by anyone who downloads the tarball. Admittedly autoconf originated in a different age, but its staying power is surprising. Many people mock the security risk of instructions saying curl some.site | sh but at the same time are happy to do curl sometarballurl tar zxvf sometarball cd someproject ./configure IMHO this latter scenario is worse from a security risk. In the former scenario, at least you can leave off the '| sh' bit and audit the shell script (which is usually short and readable) before running it. It is practically impossible for anyone to meaningfully audit an autoconf 'configure' script. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
