On Mar 30, 2024, Eric Gallager <eg...@gwmail.gwu.edu> wrote: > automake's `distcheck` target, whose entire purpose is to make it > easier to verify that a distribution tarball can be rebuilt from > itself and contains all the things it ought to contain.
> Recommending the `distcheck` target to a wider variety of users would > help more projects catch mismatches between things a distribution > tarball is supposed to contain, and things that it isn't. This would > be a win for security and could help make it easier to catch future > possible bad actors trying to pull a similar trick. What do people > think? Bluntly, I don't think it would help with security. The attacker would just have to disable or adjust the distcheck target to seemingly pass. Relying on something in a code repository to tell whether the repository is secure is akin to tying a dog with sausage. For security proper, the verification code needs to be held elsewhere, not compromisable along with the thing it's supposed to verify. Analogously, you don't run a rootkit checker on the system that's potentially compromised, because the rootkit may hide itself; you boot off secure media and then use the tools in it to look for the rootkit in the potentially-compromised system, *without* handing control over to it. -- Alexandre Oliva, happy hacker https://FSFLA.org/blogs/lxo/ Free Software Activist GNU Toolchain Engineer Disinformation flourishes because many people care deeply about injustice but very few check the facts. Think Assange & Stallman. The empires strike back
