From xz to ibus: more questionable tarballs

Context: ibus tarball vs git tag

  • A release-candidate tarball of ibus contains code not present in the corresponding tagged commit in git.
  • Change seems benign (extra Unicode range), likely from a local working tree being tar’d with uncommitted changes.
  • Core concern: such mismatches weren’t detected before distros imported the checksummed tarball.

Why tarballs differ from VCS trees

  • Traditional reasons:
    • Tarballs include generated files (e.g., configure scripts, codegen outputs, translations) so users don’t need heavy toolchains.
    • Tarballs may exclude dev-only scripts, CI configs, and IDE files.
  • Some projects intentionally do code generation only for releases and not in git.
  • Tools like .gitattributes (export-ignore, export-subst) can shape tarball contents, but are underused and may themselves be an attack surface.

Security implications & reproducibility

  • xz backdoor showed tarballs can hide code not in git, undermining “open source can be reviewed” arguments.
  • Extra files in tarballs enlarge attack surface, even in sandboxed builds.
  • GitHub auto-generated archives have had checksum instability issues; this undermines treating them as stable, signed artifacts.
  • Reproducible builds work has mostly focused on binaries, less on reproducible tarballs from VCS.

Trust: tarballs vs git repositories

  • One side: tarballs signed by maintainers are the authoritative, immutable source; if you don’t trust those, you can’t trust their git either.
  • Other side: public git repos have history, many eyes, and distributed copies — making tampering and quiet rewrites harder to hide.
  • Debate centers on traceability and detectability, not absolute trust: git’s structure and clones raise red flags more easily than opaque tarballs.
  • Counterpoint: the xz backdoor lived in git for a long time; detection came only once activated via tarball.

Ecosystem examples (npm, PyPI, Cargo, etc.)

  • Many package registries allow published artifacts to differ from linked git repos (e.g., npm, Cargo, PyPI wheels).
  • Some registries expose commit hashes or metadata, but do not enforce reproducible builds from those hashes.
  • Examples cited where PyPI wheels contained secrets or extra files not in source dists.
  • Concerns that “trusted publishing” (e.g., PyPI+GitHub Actions) still hinges heavily on CI hosts and user key security.

Package managers and functional builds (Nix/Guix)

  • Nix/Guix improve input pinning and reproducibility but still fetch tarballs or generated archives; builds can still run arbitrary scripts.
  • Nix avoided the xz tarball backdoor by building from GitHub source archives rather than upstream release tarballs, but mass rebuilds are slow.
  • Guix offers tools to compare built binaries against source (guix challenge) and explores deep bootstrappability.

Proposed mitigations and open questions

  • Generate release tarballs deterministically from specific commits and verify them against local git archive.
  • Pin packages to commit hashes and record a verifiable chain from VCS to tarball to binary.
  • Enforce or at least support reproducible tarballs and builds in registries and distros.
  • Use hermetic / pure-functional build systems with strict sandboxes and minimized tooling.
  • Strengthen or replace signature workflows; disagreement over practicality of PGP and current “web of trust.”
  • Some see current tarball-centric workflows as legacy inertia; others argue they remain practical, archivable, and widely understood.