[Linux-aus] How could we get society to adequately fund free software developers

[Brian May]

Simon Lees via linux-aus <linux-aus at lists.linux.org.au> writes:

> With both Github and Gitlab it is possible to create releases from 
> artifacts created as part of pipelines / actions. When using this for a 
> release process it would be much harder for this kind of attack to 
> happen. Although both still allow manual uploads and there doesn't seem 
> to be a good indication of what is manual vs auto generated.

The attacker could potentially modify the pipelines / actions to include
mallacious code in the released archive. Not sure how easy it would be
to obscure this, but after seeing the XZ attack, I think anything could
be possible here.

Even if the source code release is OK, what about prebuilt binaries?
Reproducible builds here could help a little. But not if the build steps
add the mallacious code every time.

Typically upstream tar balls to have legitimate changes from git, such
as autogenerated autotools files for example. Which in turn could be
hiding mallacious code. Maybe we need to move to using git code and
archives autogenerated by trusted entity (e.g. github) more and
more. Even if this means user's need to build the autotools files
themselves.
-- 
Brian May @ Linux Penguins