search

Xpra-org / gtk-osx-build

Build setup to help building the Mac OS X port of GTK+
http://gtk-osx.sourceforge.net/
0 stars 2 forks source link

`xz-utils` CVE fallout broke our build #42

Closed totaam closed 4 months ago

totaam commented 6 months ago

We have a (non-vulnerable it seems) download link to xz: https://github.com/Xpra-org/gtk-osx-build/blob/49eb381e606c9453a194fa9a6c0b9b8818598b24/modulesets-stable/bootstrap.modules#L38-L41

And when github took the whole project down because of CVE-2024-3094, this broke our builds..

I'm not saying that taking the project down was not the right thing to do.

Just a cautionary tale about reproducible builds.

totaam commented 4 months ago

Updated xz to 5.6.2 in 1050b4dcdf7fbedf1a43ee0a9dbab764342fbeba