| 29 Mar 2024 |
 raitobezarius | In reply to @julienmalka:matrix.org
Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there #security-discuss:nixos.org | 16:39:38 |
 vcunat | * Because release tarballs need less dependencies to build from. | 16:39:55 |
 tgerbet | And the source code tarball generated by GH automatically are not stable | 16:40:28 |
| vcunat | We have tools for that. | 16:40:55 |
| vcunat | Hashing the unpacked directory tree instead. | 16:41:07 |
| vcunat | Dependency on autoreconfHook can be bothersome, especially for packages involved in stdenv bootstrapping. | 16:41:42 |
|  moody joined the room. | 17:20:21 |
|  pareto-optimal-dev joined the room. | 17:25:15 |
|  mjm joined the room. | 17:26:08 |
| mjm | 17:31:16 |
|  Minijackson joined the room. | 17:33:44 |
|  Christian joined the room. | 17:38:47 |
|  hemant (he/they) joined the room. | 17:48:51 |
|  @bear454:librem.one joined the room. | 18:28:44 |
|  mattleon joined the room. | 18:31:48 |
|  robgssp joined the room. | 18:32:48 |
| @bear454:librem.one left the room. | 18:32:54 |
|  Dustin Plattner joined the room. | 18:45:10 |
|  brokenpip3 joined the room. | 18:48:08 |
 cleverca22 | In reply to @vcunat:matrix.org
Because release tarballs need less dependencies to build from. i suspect thats also part of the exploit chain
configure isnt in git, and has to be generated when making the release tarball
and users are trusting that configure was generated properly
| 19:09:45 |
| cleverca22 | so the critical piece in making it all work, isnt in git, and there is no evidence of it in the history | 19:10:05 |
|  @winston:milli.ng joined the room. | 19:34:49 |
|  @entheogenesis:matrix.org joined the room. | 20:12:35 |
 hexa | Redacted or Malformed Event | 20:52:12 |
|  anthr76 joined the room. | 20:54:54 |
|  Gaelan Steele joined the room. | 21:13:50 |
|  magic_rb joined the room. | 21:45:27 |
 ris_ | i think we've encountered situations before where the github automatically generated tarball has been "overridden" by a release file being supplied in its place - which unnerved me a bit at the time - but makes me wonder if it's actually possible to get a tarball link to a git tag that will definitely have been auto-generated | 22:09:23 |
| ris_ | i.e. even fetchFromGitHub was returning the manually-uploaded tarball | 22:11:32 |
 tomberek | ris_: if you use a tree-hash you have much better guarantees from their archive-tarball API. Fetching by commit-hash may encounter git-filter+smudging issues. | 22:37:10 |
