Hi, I'm seeing weird things.
For whatever reason Source for xz was changed 2 months ago[1] to use GH releases instead of tukaani.org site. The XZ page[2] has a note stating: "Note: GitHub automatically includes two archives Source code (zip) and Source code (tar.gz) in the releases. These archives cannot be disabled and should be ignored." And they wayback WayBackMachine[3] doesn't have previous versions. Do we know if GH release tarballs are safe? @richard, do you remember why you had to change the source for the tarball? Regards, Mikel [1] https://src.fedoraproject.org/rpms/xz/c/0c09a6280b4a0c4fd7a9fc742c09469c95ff431f?branch=f40 [2] https://xz.tukaani.org/ [3] https://web.archive.org/web/20240119212251/https://xz.tukaani.org/ Hau idatzi du Kevin Kofler via devel (devel@lists.fedoraproject.org) erabiltzaileak (2024 mar. 29(a), or. (19:01)): > > Hi, > > wow: https://www.openwall.com/lists/oss-security/2024/ > > I think at this point we clearly cannot trust xz upstream anymore and should > probably fork the project. > > Kevin Kofler > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
