On 10/29/2024 10:05 AM, Werner Koch via Gnupg-users wrote:
Hi!you should really set aside problems wit the distribution and use the speedo variant to build eberthing. This is somewhat similar to an AppImage. From the README: To quickly build all required software without installing it, the Speedo target may be used: make -f build-aux/speedo.mk native This target downloads all required libraries and does a native build of GnuPG to PLAY/inst/. GNU make and the patchelf tool are required. After the build the entire software including all libraries can be installed into an arbitrary location using for example: make -f build-aux/speedo.mk install SYSROOT=/usr/local/gnupg26
THIS IS BAD! It is the make-based version of the memed "download and run random code from the internet" instructions that security-ignorant teams keep posting as their "Linux" install instructions. The semi-embedded "buildroot" project did the same years ago . Unless the speedo make target actively checks each download against a strong hash stored in the initial gnupg tarball, this exposes the user/dev to all manner of supply chain attacks by running unvetted build scripts and other code from whomever hijacks any one of the various upstream URLs. Systemd blindly loading random 3rd party decompression libraries into all compatible demon processes was similarly exploited this year by someone invading one of the compression projects. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
