From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id sP6RBRXbF2Yn7wAAqHPOHw:P1 (envelope-from ) for ; Thu, 11 Apr 2024 14:44:05 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id sP6RBRXbF2Yn7wAAqHPOHw (envelope-from ) for ; Thu, 11 Apr 2024 14:44:05 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712839444; a=rsa-sha256; cv=none; b=bDLgy2WV/rJpmYVEJstT0z1nospY58OiU5LJcom0H2/qejM2xrfvPljOQ0VDtiXU0XAE04 iNUsFUyA7T0BLNClVbC4k+byZsM2o1Jj+gXt/6Y4HabvstOWpXfSsT6ChdleQYxYmEI8lh 6Vo9zzvAOqrUJqtSw0aSI50gcAM1akijtmL3J30q9sG47NAJ1YB5uHDjTLHPyu4JTMvHLy 9APbpwifE9/MVC/3e5vrl4gzNqK57JVf6zxHT1v1bner0VKuhWEzG1R1CGue5LnfdBOfLf 4oXgyPZacC/rhVOucEH0NmRACXknhHs/z/Kug7w28S+9SOONHiNtSWwVCwm5HA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712839444; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=+8IFLnOlilvXXaWf2TNT0H6gf0/+X1hU4Gjfl8/vjX0=; b=uVljf0GSFgMfSkihq4f8FlwlhkTTOr4zscy41sjplLs8Gi5+2GsQef07+UNdb4Eqx1n8Nm 4TLYhvBz9ij/UGucPyv3EemrNtTu4V3ofR0FIBPTCioWuZB/iRKj2N5eV42GI6MDfQiMZx OVcLGI4w5jd0fkbW0CE8om/MFshkxJ5eDvtb8vkJERhFh7KmoYEztb05+gWfWW7SxpsCbn ZH/PSZBiQ572cTFe0DAGfcpgBrxEG8owyAh9pV+R90Pr78o2DJDuz0SCXG/WSftgAmIUl8 gHWC14OfMeR/MIMxjDeCy4CfVUPgE6eNU04G4mRiXMITN5UjRr3hwiOC0F257w== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BF3257E28B for ; Thu, 11 Apr 2024 14:44:04 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rutmD-0005vT-I7; Thu, 11 Apr 2024 08:43:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rutmB-0005vD-8h for guix-devel@gnu.org; Thu, 11 Apr 2024 08:43:35 -0400 Received: from hera.aquilenet.fr ([2a0c:e300::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rutm7-0004TS-SB; Thu, 11 Apr 2024 08:43:33 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 294452B1; Thu, 11 Apr 2024 14:43:25 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7AfCmr68SUKH; Thu, 11 Apr 2024 14:43:24 +0200 (CEST) Received: from jurong (unknown [IPv6:2001:861:c4:f2f0::c64]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 7CA5415B; Thu, 11 Apr 2024 14:43:24 +0200 (CEST) Date: Thu, 11 Apr 2024 14:43:22 +0200 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Cc: Ekaitz Zarraga , Attila Lendvai , Giovanni Biscuolo , Guix Devel Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Message-ID: References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu> <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech> <87wmp5l3r3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87wmp5l3r3.fsf@gnu.org> Received-SPF: pass client-ip=2a0c:e300::1; envelope-from=andreas@enge.fr; helo=hera.aquilenet.fr X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -5.81 X-Migadu-Queue-Id: BF3257E28B X-Migadu-Spam-Score: -5.81 X-Migadu-Scanner: mx10.migadu.com X-TUID: 8NLO0k3qLhKI Hello, Am Wed, Apr 10, 2024 at 03:57:20PM +0200 schrieb Ludovic Courtès: > I think we should gradually move to building everything from > source—i.e., fetching code from VCS and adding Autoconf & co. as inputs. the big drawback of this approach is that we would lose maintainers' signatures, right? Would the suggestion to use signed tarballs, but to autoreconf the generated files, not be a better compromise between trusting and distrusting upstream maintainers? Andreas