Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://udongein.xyz/objects/14ad055b-385b-44c5-ab2b-5a974d10a03f">LisPi (lispi314@udongein.xyz)'s status on Monday, 01-Apr-2024 10:12:02 JST</a><a href="https://udongein.xyz/users/lispi314" title="lispi314@udongein.xyz"><img src="https://gnusocial.jp/avatar/209694-48-20231106080216.webp" width="48" height="48" alt="LisPi" style="position: absolute; left: 0; top: 0;">LisPi</a><div><a href="https://nerdculture.de/@kirschwipfel/112183708887529887" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/148990" title="kirschwipfel@nerdculture.de">🍒🌳 Hartmut Goebel</a></li><li><a href="https://gnusocial.jp/user/252580" title="andresfreundtec@mastodon.social">AndresFreundTec</a></li></ul></div></section><article><a href="https://nerdculture.de/@kirschwipfel">@kirschwipfel</a> <a href="https://mastodon.social/@glyph">@glyph</a> <a href="https://mastodon.social/@AndresFreundTec">@AndresFreundTec</a> &gt; If the packager chooses to use the official tarball as "the source", validating the checksum would not have helped. :-(<br><br>Unfortunately, yeah.<br><br>&gt; Also whether it's always possible to run running autoreconf depends on the content of the tarball.<br><br>Of course if it isn't a C project then it probably isn't. If it is such a project, then one should have such tooling installed.<br><br>&gt; Which brings me to the (preliminary) conclusion that we'd better use repos as source of trust<br><br>That is more sensible generally, as the history of an object and its belonging to a project is a reified (and verifiable) relationship under code versioning sytems, unlike arbitrary buckets of files.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879212#notice-5736951">In conversation</a><time datetime="2024-04-01T10:12:02+09:00" title="Monday, 01-Apr-2024 10:12:02 JST">about 8 months ago</time> <span>from <span><a href="https://udongein.xyz/objects/14ad055b-385b-44c5-ab2b-5a974d10a03f" rel="external" title="Sent from udongein.xyz via ActivityPub">udongein.xyz</a></span></span><a href="https://udongein.xyz/objects/14ad055b-385b-44c5-ab2b-5a974d10a03f">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Monday, 01-Apr-2024 10:12:02 JSTLisPi
in reply to
@kirschwipfel @glyph @AndresFreundTec > If the packager chooses to use the official tarball as "the source", validating the checksum would not have helped. :-(

Unfortunately, yeah.

> Also whether it's always possible to run running autoreconf depends on the content of the tarball.

Of course if it isn't a C project then it probably isn't. If it is such a project, then one should have such tooling installed.

> Which brings me to the (preliminary) conclusion that we'd better use repos as source of trust

That is more sensible generally, as the history of an object and its belonging to a project is a reified (and verifiable) relationship under code versioning sytems, unlike arbitrary buckets of files.
In conversationabout 8 months ago from udongein.xyzpermalink

Public

Embed Notice

HTML Code

Corresponding Notice