[mu4e must have changed the key bindings for replies, so here is my mail
again, this time as a wide reply.]
Giovanni Biscuolo writes:
> So AFAIU using a fixed "autoreconf -fi" should mitigate the risks of
> tampered .m4 macros (and other possibly tampered build configuration
> script)?
>
> IMHO
Hi,
I just want to add some perspective from the bootstrapping.
On 2024-04-04 21:48, Attila Lendvai wrote:
all in all, just by following my gut insctincts, i was advodating for building
everything from git even before the exposure of this backdoor. in fact, i found
it surprising as a guix ne
Dear Guix developers,
A paper of mine has been accepted as a Work in Progress at the next
International Workshop on Plan 9 (http://iwp9.org/).
I'll be presenting it not next week end, but the one after (12-14 April
2024).
I'd be happy if some of you would be so kind as to read it with their
exte
> Are really "configure scripts containing hundreds of thousands of lines
> of code not present in the upstream VCS" the norm?
pretty much for all C and C++ projects that use autoconf... which is numerous,
especially among the core GNU components.
> If so, can we consider hundreds of thousand
Hi,
Thanks for your reply,
1. Changing the tag to reviewed-looks-good
It doesn't look like this worked. The way to do this is in the instructions are
4. 'Set a user tag' [0], probably the easiest way is to send an email (I do get
funny results sometimes with my email client):
Subject: setti
Hi Attila,
Attila Lendvai writes:
>> Also, in (info "(guix) origin Reference") I see that Guix packages
>> can have a list of uri(s) for the origin of source code, see xz as an
>> example [7]: are they intended to be multiple independent sources to
>> be compared in order to prevent possible tam
Hello,
a couple of additional (IMO) useful resources...
Giovanni Biscuolo writes:
[...]
> Let me highlight this: «It is pragmatically impossible [...] to peer
> review a tarball prepared in this manner.»
>
> There is no doubt that the release tarball is a very weak "trusted
> source" (trusted
> Also, in (info "(guix) origin Reference") I see that Guix packages can have a
> list of uri(s) for the origin of source code, see xz as an example [7]:
> are they intended to be multiple independent sources to be compared in
> order to prevent possible tampering or are they "just" alternatives to
Hi,
Comments below:
On 3 Apr, Christina O'Donnell wrote:
(...)
> Thank you for writing this up in so much depth! I've reviewed [1] and tried
> to tag it as reviewed-looks-good, though I don't think that has gone
> through. If you or someone else could take a look at it then I'd appreciate
> that.
Hello everybody,
I know for sure that Guix maintainers and developers are working on
this, I'm just asking to find some time to inform and possibly discuss
with users (also in guix-devel) on what measures GNU Guix - the software
distribution - can/should deploy to try to avoid this kind of attacks
10 matches
Mail list logo
