• ozymandias117@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    7 months ago

    As much as I love openSUSE, and reproducible builds are a core requirement for trusted computing…

    reproducible builds were reported as being useful

    Really buries the lede of the xz attack results

    either both are trojaned, or none

    Edit: It is very useful for the first half - to ensure new packages extracted by a compromised xz weren’t modified during the extraction.

    It’s just that reproducing the build of the tampered xz would still produce a bit-for-bit identical compromised version due to the way it modified the build system