| 29 Mar 2024 |
|  moody joined the room. | 17:20:21 |
|  pareto-optimal-dev joined the room. | 17:25:15 |
|  mjm joined the room. | 17:26:08 |
| mjm | 17:31:16 |
|  Minijackson joined the room. | 17:33:44 |
|  Christian joined the room. | 17:38:47 |
|  hemant (he/they) joined the room. | 17:48:51 |
|  @bear454:librem.one joined the room. | 18:28:44 |
|  mattleon joined the room. | 18:31:48 |
|  robgssp joined the room. | 18:32:48 |
| @bear454:librem.one left the room. | 18:32:54 |
|  Dustin Plattner joined the room. | 18:45:10 |
|  brokenpip3 joined the room. | 18:48:08 |
 cleverca22 | In reply to @vcunat:matrix.org
Because release tarballs need less dependencies to build from. i suspect thats also part of the exploit chain
configure isnt in git, and has to be generated when making the release tarball
and users are trusting that configure was generated properly
| 19:09:45 |
| cleverca22 | so the critical piece in making it all work, isnt in git, and there is no evidence of it in the history | 19:10:05 |
|  @winston:milli.ng joined the room. | 19:34:49 |
|  @entheogenesis:matrix.org joined the room. | 20:12:35 |
 hexa | Redacted or Malformed Event | 20:52:12 |
|  anthr76 joined the room. | 20:54:54 |
|  Gaelan Steele joined the room. | 21:13:50 |
|  magic_rb joined the room. | 21:45:27 |
 ris_ | i think we've encountered situations before where the github automatically generated tarball has been "overridden" by a release file being supplied in its place - which unnerved me a bit at the time - but makes me wonder if it's actually possible to get a tarball link to a git tag that will definitely have been auto-generated | 22:09:23 |
| ris_ | i.e. even fetchFromGitHub was returning the manually-uploaded tarball | 22:11:32 |
 tomberek | ris_: if you use a tree-hash you have much better guarantees from their archive-tarball API. Fetching by commit-hash may encounter git-filter+smudging issues. | 22:37:10 |
|  @tpw_rules:matrix.org joined the room. | 23:01:50 |
| @tpw_rules:matrix.org | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 | 23:01:55 |
| @tpw_rules:matrix.org | debian is considering reverting xz further | 23:02:08 |
| @tpw_rules:matrix.org | given our long lead time on a fix we should too | 23:06:13 |
| hexa | as mentioned this would remove symbols that packages now depend on, so not as simple | 23:07:06 |
| hexa | let's wait a week and see how the world looks then | 23:07:20 |
