Yes the whole "let's take a mystery meat tarball from a repo that isn't the proj... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

dboreham on April 2, 2024 | parent | context | favorite | on: Timeline of the xz open source attack

Yes the whole "let's take a mystery meat tarball from a repo that isn't the project repo" seems suspect.

Github+ even has a scheme for signing artifacts such that you have some level of trust they came from inside their Actions system, derived from some git commit. This would allow the benefits of a modular build for a large product like a distro, while preserving a chain of trust in its component parts.

+Not advocating a dependency on Github per se -- the same sort of artifact attestation scheme could be implemented elsewhere.

shp0ngle on April 2, 2024 | [–]

as I wrote in a different thread, some projects don't have any source control.

From the big ones - 7z, ncurses are both tarballs only.

patmorgan23 on April 2, 2024 | | [–]

They need to join us in the 80s and start using source control.

account42 on April 10, 2024 | [–]

Yeah lets make the entire open source ecosystem reliant on Microsoft. No thanks.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact