Ludovic Courtès writes: > During the Guix Days session about bootstrapping¹, I suggested that we > finally bite the bullet and avoid building from tarballs that contain > pre-built binaries—typically autotools-generated files, Info files, > sometimes HTML or PDF files. > > There are several reasons: > > 1. We go to (very) great lengths to build everything from source, and > this exception had become the elephant in the room. Debian and > live-bootstrap (among others) paved the way. > > 2. Tarballs that include generated code are an attack vector, as we > have seen with XZ-Utils. > > 3. Not the main motivation, but it turns out that archiving and > retrieving Git checkouts from SWH is less convoluted than dealing > with tarballs. > > I have created a milestone to keep track of progress: > > https://codeberg.org/guix/guix/milestone/66679 > > There’s a laborious but easy part with packages close to the leaves. > And then there are trickier parts close to the root, in > ‘commencement.scm’—though again we can take inspiration from > live-bootstrap for these. > > If we eventually replace many tarballs with ‘git-fetch’, then we’ll have > to require a version of guix-daemon recent enough to have > “builtin:git-download”, to break the cycle. > > Thoughts?
We discussed it, and I'm very happy with this--possibly somewhat bold?--move, thanks! As a slightly [un]related note though, wasn't the XZ-Utils attack made primarily in Git, or was the creation of a tarball involved? Not to say that running the auto*tools generated code is bad, and could "easily" be backdoored (more easily than to hide it in the auto*tools source files). I don't want to really open a tangent on this, and I don't want to make less of this proposal, which I support, but I'm wondering if there's anything we'd want to do, or could do, about `generated code' / binaries in git? Greetings, Janneke -- Janneke Nieuwenhuizen <[email protected]> | GNU LilyPond https://LilyPond.org Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com
