Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why doesn’t GitHub force “releases” to be a simple repo tarball for sources and with binaries from GitHub actions or such…

I find it incredibly ironic that a “version control” site gives no assurance of reproducible builds (nor reproducible source!!)

The real villain is not the perpetrator, it is Microsoft, and it is all of us.



Too inflexible ideological. There are infinite things that most properly belong in a release file and not in the source, that can't be generated from that source by github actions, and seperately no one should be compelled to use github actions.


Because then for autoconf codebases you have to commit `./configure` or you have to require that users have autoconf installed and run `autoreconf -fi` first.

Maybe autoconf-using projects should really just require that users have autoconf installed.

Not that that would prevent backdoors, mind you.


If committing configure is objectionable, perhaps there could be "service" repositories that are not directly writable and are guaranteed to be nothing more than the base repo + autoconf cruft used to generate the releases.


Well, for example in jq we do commit bison/flex outputs because for users ensuring that they have the right version of those can be tricky. We could do the same w.r.t. autoconf and its outputs, though again, that won't preclude backdoors.


Yeah, it's less about detecting backdoors specifically and more about having a way to compare releases to build jobs.


Committing built artifacts presents similar problems: how do you know that the committed artifacts are in fact derived from their sources? Or from non-backdoored versions of build tools for that matter? Hello Ken Thompson attacks.

I don't believe there's a nice easy answer to these questions.

What we do in jq is rely on GitHub Actions to run the build and `make dist`. In fact, we could now stop committing the bison/flex outputs, too, since we can make sure that the tarball includes them.

We do also publish the git repo snapshots that GitHub auto-generates for releases, though we do that because GitHub doesn't give one a choice.


Thinking about this more: maybe there would be some benefit to GitHub taking control of "release" repositories that may only be written to be GA. They'd write everything -- maybe as a docker image -- so anyone could pull down the image and compare shas, or whatever. And maybe this could also be done by their competitors. The ultimate goal would be to have multiple trusted parties performing the build on the same code producing the same output, and allowing any randos to do the same.

If the source is included in those images, we could conceivably prove that the target was based on the source.

It's not nice and easy, true.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: