Once upon a time, Richard W.M. Jones rjones@redhat.com said:
On Fri, Mar 29, 2024 at 07:44:12PM +0100, Mikel Olasagasti wrote:
Do we know if GH release tarballs are safe? @richard, do you remember why you had to change the source for the tarball?
Sadly the release tarballs we used *do* contain the vulnerability. I checked myself that the payload is present in the final xz RPMs.
I read that this did not go into the git history, so downloading a Github-generated tarball SHOULD be safe (note SHOULD: I did not personally check).
I guess a new security check when using release tarballs for projects with public git that also supports tarball generation would be to have both sources and compare. Signed sources don't help with the signer is the problem.