On 3/30/24 12:34, Genes Lists wrote:
On Fri, 2024-03-29 at 18:55 +0000, Arch Linux: Recent news updates: David Runge wrote:
TL;DR: Upgrade your systems and container images **now**!
<snip> Question:
--------
Would it make sense, therefore, to switch builds, where possible, away from tar files and instead pull directly from git source (signed tags where possible as usual etc)? Of course a git repo can also carry infections - perhaps taht's a little less likely.
Or is this not worth the trouble?
I have public servers -- so was quite terrifying. However, the consensus was that Arch was never vulnerable given that the .m4 script is not used in the PKGBUILD and is limited to use in .deb or .rpm packaging. (that's to say the compromised test files are present, but not invoked to inject themselves into the library as part of the build) The lack of freak-out by Allan was the most comforting aspect. Long discussion, frustrating abundance of "opinions" and light on "concrete facts", but worth the read on just how Arch handles xz: https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2 -- David C. Rankin, J.D.,P.E.