[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition

previously on this list Brian May contributed:

> After the damage is done, probably easier to find the malware that did it

Assuming the damage is visible?

> All rants aside, I believe there's a fairly wide agreement that we
> should throw away binaries from builds.  

>> I'd encourage something slightly different and then I'd expand on it a
>> bit.

Sounds like a plan but perhaps if they are not already? these uploads
should be enabled within their own apt sources line.

Whilst malicious code can be hidden in source and accompanying packages
such as via sidechannel attacks, any additional threats should be
avoided or users enabled to avoid them where possible.


'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd

Reply to: