Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Bill Fenner <fenner () gmail com>]

On Mon, Apr 1, 2024 at 11:06 AM Michael Richardson <mcr () sandelman ca> wrote:

> Bill Fenner <fenner () gmail com> wrote:
>     > mcr suggested:
>     >> I wonder if we should nuke our own make tarball system.
>
>     > The creation of a tarball and its signature gives a place to hang
> one's hat
>     > about origin of code - "someone with the right key claims that this
> tarball
>     > genuinely reflects what the project wants to distribute".  Is there a
>     > similar mechanism for a git tag?
>
> Yes, git tag -s, lets you sign a commit with a PGP key.

Just trying to brainstorm about how this fits with build systems like
Arista's, where we store the tarball and check the signature at build time
- I suppose it just turns into "vendor the git tag into a local repo and
check the signature at build time".

I have no objection to either requiring people to have autotools, or going
cmake-only.  (I mean, I personally find cmake hard to use, but that
shouldn't influence what the project does.)

  Bill
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s