Supply chain security?
brad litterell
brad_litterell at hotmail.com
Mon Jun 30 00:47:30 EDT 2025
Hi folks,
(Is it okay if I refer to GnuCash as GC?) Appologies in advance if not. 🙂
I was looking to build GC for Windows and I had some questions because I tend to be VERTy paranoid about what I install on my box.
I started looking at Gnucash/gnucash-on-windows<https://github.com/Gnucash/gnucash-on-windows> and I noticed that at least some of the URLs where packages are downloaded are from HTTP not HTTPS urls. It also appeared (without detailed investigation to verify) that the tarballs coming from these places also didn't have any hash-based or digital-signature verification.
The upshot of all this was I didn't feel very comfortable running the environment build scripts/tools because it looked like it would be downloading and running a lot of unverified tools and content on my machine.
So, I'm just wondering if this is something you have considered, or maybe even estimated how much work would be involved in tackling it?
Also (and I'm, not sure if this would tend to require fewer tool dependencies or not) - has anyone looked at whether it would be possible to build GC for Windows _from_ WSL using the minwg packages available (e.g.) in Ubuntu?
-Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gnucash.org/pipermail/gnucash-devel/attachments/20250630/687975b5/attachment.htm>
More information about the gnucash-devel
mailing list