> Le 31 mars 2024 à 01:07, Elliott Mitchell <ehem+open...@m5p.com> a écrit : > >> Normally upstream publishes release tarballs that are different than the >> automatically generated ones in GitHub. In these modified tarballs, a >> malicious version of build-to-host.m4 is included to execute a script >> during the build process. > > So the malicious source code was part of all tarballs, but only the > tarballs with the modified `build-to-host.m4` would trigger the malicious > payload. > > So obtaining GitHub's tarballs which came directly from the Git > repository *does* avoid the breach.
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 Let’s not lure ourselves into thinking that not using upstream-provided tarballs but upstream-provided repo instead is inherently safer. With adversarial upstream, *nothing* is safe anyway. And even when upstream repo isn’t entirely under adversarial control, a bad actor can sneak stuff in: https://github.com/libarchive/libarchive/commit/6110e9c82d8ba830c3440f36b990483ceaaea52c My 2c. T _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
