Sourceware mitigating and preventing the next xz-backdoor
Frank Ch. Eigler
fche@elastic.org
Wed Apr 10 14:09:24 GMT 2024
Hi -
> In Autotools, `make dist` produces a tarball that contains many
> files not present in the source respoitory, it includes build system
> core files and this fact was used for the xz attack. In contrast,
> for newer build systems the "release tarball" is purely a snapshot
> of the source repository: there is no `cmake dist`, and `meson dist`
> is essentially `git archive` [...]
For what it's worth, not every auto* using project uses "make dist" to
build their release tarballs. If they can get over the matter of
including auto*-generated scripts being located in the source repo,
then indeed a "git archive" is sufficient. Several of the projects I
work on do just this. (As a bonus, that makes the git repos immediately
buildable by developers, without need to re-auto* anything.)
- FChE
More information about the Binutils
mailing list