Re: xz backdoor

To: debian-devel@lists.debian.org
Subject: Re: xz backdoor
From: Andrey Rakhmatullin <wrar@debian.org>
Date: Sun, 31 Mar 2024 00:40:31 +0500
Message-id: <[🔎] Zghqr7N2x6e-AOto@belkar.wrar.name>
In-reply-to: <[🔎] Zgg3Gm0aGIdQCMua@bongo.bofh.it>
References: <[🔎] ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <[🔎] 87a5mgkcn4.fsf@hope.eyrie.org> <[🔎] 875xx4k9bv.fsf@hope.eyrie.org> <[🔎] 36567ed4-7246-4466-9122-2934d6e9f18f@debian.org> <[🔎] Zgg3Gm0aGIdQCMua@bongo.bofh.it>

On Sat, Mar 30, 2024 at 05:00:26PM +0100, Marco d'Itri wrote:
> On Mar 30, Jonathan Carter <jcc@debian.org> wrote:
> 
> > Another big question for me is whether I should really still
> > package/upload/etc from an unstable machine. It seems that it may be prudent
> If we do not use unstable for development then who is going to?
Yup.

> I think that the real question is whether we should really still use 
> code-signing keys which are not stored in (some kind of) HSM.
What are the options for random DDs for that?

-- 
WBR, wRAR

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: xz backdoor
  - From: Ansgar 🙀 <ansgar@43-1.org>

References:
- xz backdoor
  - From: Sirius <sirius@trudheim.com>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Jonathan Carter <jcc@debian.org>
- Re: xz backdoor
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Re: xz backdoor
Next by Date: Re: Validating tarballs against git repositories
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread