Supply chain security?

John Ralls jralls at ceridwen.us
Mon Jun 30 13:10:04 EDT 2025 


> On Jun 29, 2025, at 21:47, brad litterell <brad_litterell at hotmail.com> wrote:
> 
> Hi folks,
> (Is it okay if I refer to GnuCash as GC?) Appologies in advance if not. 🙂
> 
> I was looking to build GC for Windows and I had some questions because I tend to be VERTy paranoid about what I install on my box.
> 
> I started looking at Gnucash/gnucash-on-windows <https://github.com/Gnucash/gnucash-on-windows> and I noticed that at least some of the URLs where packages are downloaded are from HTTP not HTTPS urls.  It also appeared (without detailed investigation to verify) that the tarballs coming from these places also didn't have any hash-based or digital-signature verification.
> 
> The upshot of all this was I didn't feel very comfortable running the environment build scripts/tools because it looked like it would be downloading and running a lot of unverified tools and content on my machine.
> 
> So, I'm just wondering if this is something you have considered, or maybe even estimated how much work would be involved in tackling it?
> 
> Also (and I'm, not sure if this would tend to require fewer tool dependencies or not) - has anyone looked at whether it would be possible to build GC for Windows _from_ WSL using the minwg packages available (e.g.) in Ubuntu?  


Of the http URLs in gnucash-on-windows/gnucash.modules, only two are actually used, sourceforge and aleksey. Both have https redirects so the connection ends up being encrypted. That’s not an excuse and I’ll get the URLs cleaned up later today.  It’s also true that providing hashes for tarballs isn’t common enough among open-source library providers. On the other hand the nature of supply-chain attacks reported in the last couple of years has been from malicious contributors to open source projects getting code incorporated into respected projects or creating malicious projects with similar names on popular package managers like PyPi. Tarball hashes and https aren’t any protection against either of those.

I don’t know of any attempts to cross-compile in WSL but I also can’t think of any reason it wouldn’t work.

Regards,
John Ralls


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gnucash.org/pipermail/gnucash-devel/attachments/20250630/31bd5e0c/attachment.htm>

More information about the gnucash-devel mailing list