|
|
|
|
|
|
by hypnagogic
808 days ago
|
|
|
> The tarballs mismatching from the git tree is a feature, not a bug. A feature which allowed the exploit to take place, let's put it that way. Over here: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b... > The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub. Multiple suggestions on that thread on how that's a legacy practice that might be outdated, especially in the current climate of cyber threats. Someone even posted a more thorough gist on what could be done to increase transparency and reduce discrepancies between tarballs and repos: https://gist.github.com/smintrh78/97b5cb4d8332ea4808f25b47c8... |
|
|