[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Denis Ovsienko
On Mon, 01 Apr 2024 09:53:38 -0400 Michael Richardson wrote: > The entire openwrt thread is at: > https://lists.openwrt.org/pipermail/openwrt-devel/2024-March/042499.html > continuing at: > https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html > > > Daniel Golle

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Bill Fenner
On Mon, Apr 1, 2024 at 11:06 AM Michael Richardson wrote: > > Bill Fenner wrote: > > mcr suggested: > >> I wonder if we should nuke our own make tarball system. > > > The creation of a tarball and its signature gives a place to hang > one's hat > > about origin of code -

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Michael Richardson
Guy Harris wrote: > If so, do we > 1) require people to have autotools installed and run ./autogen.sh > or > 2) generate the configure scripts on some standard platform and check it in 3) stop using autoconf, cmake only. ___

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Francois-Xavier Le Bail via tcpdump-workers
--- Begin Message --- On 01/04/2024 20:18, Guy Harris wrote: > On Apr 1, 2024, at 6:53 AM, Michael Richardson wrote: > >> I wonder if we should nuke our own make tarball system. > > I.e., replace: > > to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download >

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Guy Harris
On Apr 1, 2024, at 6:53 AM, Michael Richardson wrote: > I wonder if we should nuke our own make tarball system. I.e., replace: to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download {libpcap,tcpdump,tcpslice}-X.Y.Z.tar.{compression-suffix} with to get

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Michael Richardson
Bill Fenner wrote: > mcr suggested: >> I wonder if we should nuke our own make tarball system. > The creation of a tarball and its signature gives a place to hang one's hat > about origin of code - "someone with the right key claims that this tarball > genuinely reflects

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Bill Fenner
mcr suggested: > I wonder if we should nuke our own make tarball system. The creation of a tarball and its signature gives a place to hang one's hat about origin of code - "someone with the right key claims that this tarball genuinely reflects what the project wants to distribute". Is there a

[tcpdump-workers] openwrt Conclusions from CVE-2024-3094 (libxz disaster)

2024-04-01 Thread Michael Richardson
The entire openwrt thread is at: https://lists.openwrt.org/pipermail/openwrt-devel/2024-March/042499.html continuing at: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html Daniel Golle wrote: > However, after reading up about the details of this backdoored