Can I just say that I have created #curl releases "the #xz way" since the 90s: I generate the release tarballs on my machine. It makes the tarball have (generated) files included that are not present in git. It's a feature. But it also makes it harder for observers to figure out if the additional files are fine or not.
BenBE
in reply to daniel:// stenberg:// • • •Any chance for curl releases to be generated with a CI/CD process, where the exact commands are documented publicly AND are run on a system that's NOT your usual development system?
Example: htop:
https://github.com/htop-dev/htop/blob/main/.github/workflows/build_release.yml
htop/.github/workflows/build_release.yml at main · htop-dev/htop
GitHubdaniel:// stenberg://
in reply to BenBE • • •scy
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to scy • • •BenBE
in reply to daniel:// stenberg:// • • •Heath Stewart
in reply to daniel:// stenberg:// • • •@scy @benbe This. There's currently no proof that the release came from the CI. Maybe the CI did publish something, but how do you know it wasn't replaced by a compromised maintainer?
There could be solutions, though: print the hash on the CI (people would so have to check it), have hosted agents sign e.g., gpg, releases like GitHub does for commits it makes and show a green check for such artifacts. Still, users would have to verify the build scripts weren't compromised. Who'd do that?
Brian Campbell
in reply to daniel:// stenberg:// • • •@scy @benbe A lot of distros have been working on build reproducibility issues, and additionally sometimes basing sources on git rather than tarballs.
It's not going to help in all cases, but it's possible that one of the build reproducibility projects could have caught this.
Pink
in reply to daniel:// stenberg:// • • •Christen Lofland
in reply to daniel:// stenberg:// • • •Patric Mueller
in reply to daniel:// stenberg:// • • •Commiting generated files to git is the easy fix.
Another option is to generate the release tarballs on a public CI that is likely harder to breach?
Tom
in reply to daniel:// stenberg:// • • •guenther
in reply to daniel:// stenberg:// • • •Brian Campbell
in reply to daniel:// stenberg:// • • •Yeah, it's a common pattern, that's why it worked so well.
I think it would be better for those kinds of steps to be done by a reproducible build that could happen in CI, and that package maintainers could do themselves to verify that it's reproducible, but this got by so easily in part because it's such a common pattern.
cesarb
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to cesarb • • •cesarb
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to cesarb • • •cesarb
in reply to daniel:// stenberg:// • • •