Embed Notice
HTML Code
Corresponding Notice
- Embed this notice@martin_ueding @glyph @AndresFreundTec @kirschwipfel > Sounds good. But some projects have a build stage which generates lots of things. Packagers for distributions need to up the needed environment and perform these steps. It seems much easier to use a provided artifact in these cases.
If you don't care about reliability, build-reproducibility and trustworthiness of your distro, sure.
> I think this attack is hard to defend against: An evil insider in the project with control over the code and artifacts.
Compromise of artifacts is a lot easier, you can ask the Linux Mint project about that.
> One could also hide malicious stuff in the code itself directly, in plain sight.
That requires a project with such awful code practices (accepting random unauditable blobs) that you'd hope the package maintainers would simply refuse to add it in the first place.