criteria for linking to binaries from git-scm.com?

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* criteria for linking to binaries from git-scm.com?
@ 2023-04-12  8:00 Jeff King
  2023-04-13  0:26 ` brian m. carlson
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff King @ 2023-04-12  8:00 UTC (permalink / raw)
  To: git

There's an interesting question raised in an issue in the git-scm.com
repo that I think would benefit from input from community folks here.

The link is:

  https://github.com/git/git-scm.com/issues/1774#issuecomment-1504829495

but the tl;dr is:

  From a supply chain perspective, what are our criteria for linking to
  a third party's pre-built binaries from git-scm.com?

Obviously we don't want to point people at malicious or trojaned
binaries. But we probably also bear some responsibility for making sure
the third party has reasonable security practices themselves.

I don't have a strong opinion myself, and this is probably a giant can
of worms. But it seemed like the kind of thing that should be getting
attention from the greater community, and not just languishing in that
repo (both to set a policy for new requests, but also maybe to evaluate
existing binaries we point to).

-Peff

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: criteria for linking to binaries from git-scm.com?
  2023-04-12  8:00 criteria for linking to binaries from git-scm.com? Jeff King
@ 2023-04-13  0:26 ` brian m. carlson
  2023-04-13 13:43   ` Derrick Stolee
  0 siblings, 1 reply; 3+ messages in thread
From: brian m. carlson @ 2023-04-13  0:26 UTC (permalink / raw)
  To: Jeff King; +Cc: git

[-- Attachment #1: Type: text/plain, Size: 1995 bytes --]

On 2023-04-12 at 08:00:19, Jeff King wrote:
> There's an interesting question raised in an issue in the git-scm.com
> repo that I think would benefit from input from community folks here.
> 
> The link is:
> 
>   https://github.com/git/git-scm.com/issues/1774#issuecomment-1504829495
> 
> but the tl;dr is:
> 
>   From a supply chain perspective, what are our criteria for linking to
>   a third party's pre-built binaries from git-scm.com?

I think we should ideally suggest distribution binaries where those are
autobuilt and the distributor is complying with the license.  For macOS,
Apple is providing their own binaries, and if people want more
up-to-date versions, we could suggest Homebrew.  For Linux and BSD
systems, that would be pointing people to their OS distributor.

For Windows, I think most people are going to use Git for Windows and I
don't believe Microsoft is providing its own binaries as part of the OS.
I believe Git for Windows is autobuilt using CI.

> Obviously we don't want to point people at malicious or trojaned
> binaries. But we probably also bear some responsibility for making sure
> the third party has reasonable security practices themselves.

This is why I suggested autobuilt binaries only.  Typically OS
distributors have some sort of reasonably well secured autobuild
infrastructure.  I think it's safe to assume major distros have secured
their autobuild infrastructure unless we've seen evidence to the
contrary, because otherwise we'd need to be security auditors, which I
don't want to be.  Note that I wouldn't object if the binaries are
manually signed (say, because the key lives on a human's security key),
but I feel like that's practically unlikely for most OS distributors.

If we have evidence that people are not complying with the license, then
we should refuse to link to those binaries and not recommend that as a
trusted source.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: criteria for linking to binaries from git-scm.com?
  2023-04-13  0:26 ` brian m. carlson
@ 2023-04-13 13:43   ` Derrick Stolee
  0 siblings, 0 replies; 3+ messages in thread
From: Derrick Stolee @ 2023-04-13 13:43 UTC (permalink / raw)
  To: brian m. carlson, Jeff King, git

On 4/12/2023 8:26 PM, brian m. carlson wrote:
> On 2023-04-12 at 08:00:19, Jeff King wrote:
>> There's an interesting question raised in an issue in the git-scm.com
>> repo that I think would benefit from input from community folks here.
>>
>> The link is:
>>
>>   https://github.com/git/git-scm.com/issues/1774#issuecomment-1504829495
>>
>> but the tl;dr is:
>>
>>   From a supply chain perspective, what are our criteria for linking to
>>   a third party's pre-built binaries from git-scm.com?
> 
> I think we should ideally suggest distribution binaries where those are
> autobuilt and the distributor is complying with the license.  For macOS,
> Apple is providing their own binaries, and if people want more
> up-to-date versions, we could suggest Homebrew.  For Linux and BSD
> systems, that would be pointing people to their OS distributor.

And on this note, https://git-scm.com/download/mac lists

  Binary installer
  Tim Harper provides an installer for Git. The latest version is
  2.33.0, which was released over 1 year ago, on 2021-08-30.

Perhaps it is time to drop this reference?

Thanks,
-Stolee

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-04-13 13:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-12  8:00 criteria for linking to binaries from git-scm.com? Jeff King
2023-04-13  0:26 ` brian m. carlson
2023-04-13 13:43   ` Derrick Stolee

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).