[Linux-aus] How could we get society to adequately fund free software developers

[Simon Lees]

On 4/4/24 10:55 AM, Nathan Bailey via linux-aus wrote:
> In both examples (xz-utils and the event-stream example Brian points to 
> below), there was a divergence between the tarball and github.
> 
> Perhaps a github-based function should be developed to verify that the 
> primary publishing destination of the packages tarball is a true 
> representation of the github repository?
> (providing some kind of green tick on GitHub that the referenced tarball 
> (presumably on another site) is legitimate)
> -N

With both Github and Gitlab it is possible to create releases from 
artifacts created as part of pipelines / actions. When using this for a 
release process it would be much harder for this kind of attack to 
happen. Although both still allow manual uploads and there doesn't seem 
to be a good indication of what is manual vs auto generated.

Github by default also uses a different naming and compression format to 
what most open source upstreams expect so changing this would also make 
it easier for more projects to adopt. Ie the current github format is 
just v2.7.1.tar.gz based off the tag name where as historically most 
upstreams will use project-name-2.7.1.tar.xz


-- 
Simon Lees (Simotek)                            http://simotek.net

Emergency Update Team                           keybase.io/simotek
SUSE Linux                           Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linux.org.au/pipermail/linux-aus/attachments/20240404/bc35cee7/attachment-0001.sig>