search

MIvanchev / static-wine32

A Docker recipe for building a statically compiled 32-bit Wine for x86_64
BSD 3-Clause "New" or "Revised" License
70 stars 3 forks source link

Broken source releases downloads for XZ and Zlib #12

Open nullgemm opened 3 months ago

nullgemm commented 3 months ago

It seems the target Zlib file name was overlooked when updating the source URL. Also due to the recent XZ backdoor issue the upstream tarballs are no longer available. I fixed both of these lines on my branch and everything works fine with these changes. I can open a PR if you're OK with using the non-HTTPS debian source, but getting that over HTTP somehow feels a bit strange now :) I guess you know better than I do how you want to fix that so I'm just opening an issue.

MIvanchev commented 3 months ago

Please open a PR, yes, thank you. I've fixed the zlib issue already in the update I'm preparing for Wine 9.5 an 9.6 (will be pushing it tomorrow) but I forgot about XZ so yeah, let's have the HTTP for now... thanks for reminding me. Btw, the wine build will not be usable until tomorrow because I've updated the Wine repo already but not this repo due to rushing it and now there are some stuff I still need to finish patching. If you're experimenting however, glxgears and vkcube are usable to demonstrate the static Mesa. Thank you so much.

MIvanchev commented 3 months ago

@nullgemm I took https://git.tukaani.org/xz.git (tag v5.4.6) for xz, do you know if this version is good?

nullgemm commented 3 months ago

@nullgemm I took https://git.tukaani.org/xz.git (tag v5.4.6) for xz, do you know if this version is good?

Yup, this is the latest stable version without compromised release tarballs.

Actually, as far as I understand reading the original writeup by Andres Freund the backdoor is only present when building xz using the original release tarballs for tags v5.6.0 and v5.6.1 distributed and signed by the attackers known as "Jia Tan".

Because most distros base their packages on these specially-crafted release tarballs the backdoor started spreading, but unless I'm terribly mistaken building even the latest versions from source should be enough to avoid the main backdoor issue. You only need to make sure you do not use anything above v5.4.6 if you rely on the official release tarballs.

However we should all keep in mind various parts of the XZ source itself were of course slowly and cautiously weakened by the attackers in order the make the backdoor possible, so it would be nice to bump the version number soon when https://git.tukaani.org/xz.git is finally force-pushed with a clean git history - according to tukaani.org that will give us v5.8.0?