Hi Russ On 2024/03/29 23:38, Russ Allbery wrote:
I think the big open question we need to ask now is what exactly the backdoor (or, rather, backdoors; we know there were at least two versions over time) did.
Another big question for me is whether I should really still package/upload/etc from an unstable machine. It seems that it may be prudent to consider it best practice to work from stable machines where any private keys are involved. For me it's just been so convenient to use unstable because it helps track changes that affect my users by the time it hits stable and also find bugs early that I care about, but perhaps I just need to make that adjustment and find more efficient ways to track unstable (perhaps on additional machines / VMs / etc). Not sure how other DDs think about this, but I'm also curious how they will deal with this, because there's near to no filter between unstable and the outside world, and this is probably not the last time someone will try something like this.
-Jonathan