tcpdump mailing list archives
openwrt Conclusions from CVE-2024-3094 (libxz disaster)
From: Michael Richardson <mcr () sandelman ca>
Date: Mon, 01 Apr 2024 09:53:38 -0400
The entire openwrt thread is at: https://lists.openwrt.org/pipermail/openwrt-devel/2024-March/042499.html continuing at: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html Daniel Golle <daniel () makrotopia org> wrote: > However, after reading up about the details of this backdoored release > tarball, I believe that the current tendency to use tarballs rather > than (reproducible!) git checkouts is also problematic to begin with. > Stuff like 'make dist' seems like a weird relic nowadays, creates more > problems than it could potentially solve, bandwidth is ubiquitous, and > we already got our own tarball mirror of git checkouts done by the > buildbots (see PKG_MIRROR_HASH). So why not **always** use that > instead of potentially shady and hard to verify tarballs? I wonder if we should nuke our own make tarball system. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr () sandelman ca http://www.sandelman.ca/ | ruby on rails [
_______________________________________________ tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
Current thread:
- openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Bill Fenner (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Bill Fenner (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Guy Harris (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Francois-Xavier Le Bail via tcpdump-workers (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Francois-Xavier Le Bail via tcpdump-workers (Apr 02)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 02)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 03)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Bill Fenner (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 01)