| 29 Mar 2024 |
 cleverca22 | In reply to @vcunat:matrix.org
Because release tarballs need less dependencies to build from. i suspect thats also part of the exploit chain
configure isnt in git, and has to be generated when making the release tarball
and users are trusting that configure was generated properly
| 19:09:45 |
| cleverca22 | so the critical piece in making it all work, isnt in git, and there is no evidence of it in the history | 19:10:05 |
|  @winston:milli.ng joined the room. | 19:34:49 |
|  @entheogenesis:matrix.org joined the room. | 20:12:35 |
 hexa | Redacted or Malformed Event | 20:52:12 |
|  anthr76 joined the room. | 20:54:54 |
|  Gaelan Steele joined the room. | 21:13:50 |
|  magic_rb joined the room. | 21:45:27 |
 ris_ | i think we've encountered situations before where the github automatically generated tarball has been "overridden" by a release file being supplied in its place - which unnerved me a bit at the time - but makes me wonder if it's actually possible to get a tarball link to a git tag that will definitely have been auto-generated | 22:09:23 |
| ris_ | i.e. even fetchFromGitHub was returning the manually-uploaded tarball | 22:11:32 |
 tomberek | ris_: if you use a tree-hash you have much better guarantees from their archive-tarball API. Fetching by commit-hash may encounter git-filter+smudging issues. | 22:37:10 |
|  @tpw_rules:matrix.org joined the room. | 23:01:50 |
| @tpw_rules:matrix.org | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 | 23:01:55 |
| @tpw_rules:matrix.org | debian is considering reverting xz further | 23:02:08 |
| @tpw_rules:matrix.org | given our long lead time on a fix we should too | 23:06:13 |
| hexa | as mentioned this would remove symbols that packages now depend on, so not as simple | 23:07:06 |
| hexa | let's wait a week and see how the world looks then | 23:07:20 |
| @tpw_rules:matrix.org | ok | 23:07:57 |
| @tpw_rules:matrix.org | thanks all | 23:12:00 |
|  Remco Schrijver joined the room. | 23:13:28 |
|  amarshall joined the room. | 23:13:43 |
| ris_ | i'm struggling to reproduce this now, but I'm sure we've had at least one case in the past where fetchFromGitHub wasn't returning the vanilla repo source | 23:16:40 |
| ris_ | tomberek: not sure how we'd fit any of that in with the UX of fetchFromGitHub though | 23:17:57 |
| tomberek | I don't think fetchFromGitHub can. I was talking about the underlying mechanism from GitHub. | 23:18:51 |
| ris_ | fundamentally for f-f-g-h we want a user to supply a tag name and unmistakably get the repo source for that commit. perhaps we can and i'm just delusional/mis-remembering | 23:20:42 |
| ris_ | anyway, we should probably investigate how we might make it easier to build packages from raw source, despite bootstrapping issues | 23:22:14 |
|  quentin joined the room. | 23:53:18 |
| 30 Mar 2024 |
|  qubitnano joined the room. | 01:28:55 |
 raitobezarius | Post bootstrap verification seems a cheap first step, let's double check we get the expected stuff | 01:39:02 |
|  @lycheefox:matrix.org joined the room. | 02:19:40 |
