tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

openwrt Conclusions from CVE-2024-3094 (libxz disaster)

From: Michael Richardson <mcr () sandelman ca>
Date: Mon, 01 Apr 2024 09:53:38 -0400

The entire openwrt thread is at:
    https://lists.openwrt.org/pipermail/openwrt-devel/2024-March/042499.html
continuing at:
    https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html


Daniel Golle <daniel () makrotopia org> wrote:
    > However, after reading up about the details of this backdoored release
    > tarball, I believe that the current tendency to use tarballs rather
    > than (reproducible!) git checkouts is also problematic to begin with.

    > Stuff like 'make dist' seems like a weird relic nowadays, creates more
    > problems than it could potentially solve, bandwidth is ubiquitous, and
    > we already got our own tarball mirror of git checkouts done by the
    > buildbots (see PKG_MIRROR_HASH). So why not **always** use that
    > instead of potentially shady and hard to verify tarballs?

I wonder if we should nuke our own make tarball system.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [


_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
Previous By Date Next
Previous By Thread Next

Current thread: