Closed totaam closed 4 months ago
We have a (non-vulnerable it seems) download link to xz: https://github.com/Xpra-org/gtk-osx-build/blob/49eb381e606c9453a194fa9a6c0b9b8818598b24/modulesets-stable/bootstrap.modules#L38-L41
xz
And when github took the whole project down because of CVE-2024-3094, this broke our builds..
I'm not saying that taking the project down was not the right thing to do.
Just a cautionary tale about reproducible builds.
Updated xz to 5.6.2 in 1050b4dcdf7fbedf1a43ee0a9dbab764342fbeba
We have a (non-vulnerable it seems) download link to
xz
: https://github.com/Xpra-org/gtk-osx-build/blob/49eb381e606c9453a194fa9a6c0b9b8818598b24/modulesets-stable/bootstrap.modules#L38-L41And when github took the whole project down because of CVE-2024-3094, this broke our builds..
I'm not saying that taking the project down was not the right thing to do.
Just a cautionary tale about reproducible builds.