-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
repo contains binaries that are hard to verify #10209
Comments
Just to be very clear to anyone reading, it's worth noting that the "binaries" identified under this issue are not executables or libraries, and do not contain any code. Additionally they do not ship with any product. I would be very interested to know about any vulnerabilities or attack vectors these files create, but I personally can't think of one. Additionally I think generating these files at build time would obfuscate their contents and make it much harder to reason about when or how they might change. For example, let's assume a malicious contributor wanted to replace the zip file with a zip bomb, as an attack of the build machines we use. If that file were generated by a script then we would have to validate all changes to the script, and any dependencies, to determine if it had changed in any malicious way. That would expose us to exactly the sort of supply chain attacks mentioned in the issue. As it stands now however, if a contributor opened a PR that modified the zip file in any way, it would be immediately suspicious and something we would definitely notice. |
Read this post: https://gynvael.coldwind.pl/?lang=en&id=782 |
This repo contains some binaries used in benchmarks and tests:
Given the recent supply chain attack against xz, would it be possible to remove these binaries from the repo? Or, perhaps to generate them at build time? Or perhaps to have a way to reproduce/re-generate the binaries via some script/code to make the generation more auditable and reproducible?
cc @richlander
The text was updated successfully, but these errors were encountered: