Hi Artem,
I disagree that the idea is not appropriate. Ensuring that the tar.gz
you are getting is exactly what it is in the git repo reduces a lot of
risk. So, it makes a lot of sense to get rid of the practice of
distributing tar.gz with pregenerated build scripts not present in the
git repo that has not been reviewed, without an audit trail implicit in
the git history, and without a clear non-repudiateable authorship.
Ignoring them and regenerating them is a step forward.
I bet the JT user would not have been able to put the attack in the git
source code without Lasse seeing it, or other developers, or tools
eventually seeing it, sooner than if it had been obfuscated in the
"release" downloads (as it was).
Regarding the multiple eyes, that is not the goal, but the goal is
multiple *skilled* eyes.
At the end of the day, this is not about building a bullet-proof system
since that's unrealistic, but a system that makes it very hard by
setting up tools and processes that mitigate the risk significantly.
Regards,
Carlos.
On 3/30/24 12:43, Artem S. Tashkinov via devel wrote:
And of course, would be great to employ all the methods