Please review the draft for May's report

[kpcyrd]

On 6/5/24 2:27 PM, Chris Lamb wrote:
> Please review the draft for May's Reproducible Builds report:

 > whilst “there seems to be consensus about [the] source code for zsh 
5.9” in various Linux distributions, it “does not align with the 
contents of the zsh Git repository”.

This is factually correct but sounds like there's an acute mismatch with 
zsh (like there was with xz), while with zsh it's a "normal" mismatch*.

It's difficult to explain the nuances of this, prior to the xz incident 
I also wasn't fully aware of how autotools "dist-tarballs" work in 
detail, and considering this only affects a 5% minority of the tarballs 
I've indexed (11.774 of 235.405) I assume many other people also never 
heard of this before.

Some people are likely going to claim "this is normal and you need to do 
reproducible builds to match dist-tarballs to git repositories" and 
people are making their own custom toy-scripts for this[1] but I don't 
see that happening at scale, especially since this is a problem we don't 
need to have in the first place if we just stick to un-preprocessed 
tarballs, and instead build the configure script on the official distro 
build-servers as part of the regular build - which would then already be 
covered by regular reproducible builds infrastructure.

[1]: https://github.com/curl/curl/pull/13250/files

cheers,
kpcyrd

*: as far as I can tell, but keep in mind I also couldn't spot the xz 
backdoor even after the writeup was published, which is why I think we 
should de-normalize illegible build scripts, and instead take a 'nothing 
up my sleeve'-approach like I did with i-probably-didnt-backdoor-this 3 
years ago.