Re: xz backdoor

To: Santiago Ruano Rincón <santiagorr@riseup.net>
Cc: Marco d'Itri <md@Linux.IT>, debian-devel@lists.debian.org
Subject: Re: xz backdoor
From: Pierre-Elliott Bécue <peb@debian.org>
Date: Sat, 30 Mar 2024 23:35:02 +0100
Message-id: <[🔎] 87wmpjxs9k.fsf@daath.pimeys.fr>
In-reply-to: <[🔎] 845606FD-868C-4509-A0B1-5B43228CACF7@riseup.net>
References: <[🔎] ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <[🔎] 87a5mgkcn4.fsf@hope.eyrie.org> <[🔎] 875xx4k9bv.fsf@hope.eyrie.org> <[🔎] 36567ed4-7246-4466-9122-2934d6e9f18f@debian.org> <[🔎] Zgg3Gm0aGIdQCMua@bongo.bofh.it> <[🔎] 845606FD-868C-4509-A0B1-5B43228CACF7@riseup.net>

Santiago Ruano Rincón <santiagorr@riseup.net> wrote on 30/03/2024 at 22:59:43+0100:

> Em 30 de março de 2024 13:00:26 GMT-03:00, Marco d'Itri <md@Linux.IT> escreveu:
>>On Mar 30, Jonathan Carter <jcc@debian.org> wrote:
>>
>>> Another big question for me is whether I should really still
>>> package/upload/etc from an unstable machine. It seems that it may be prudent
>>If we do not use unstable for development then who is going to?
>>I think that the real question is whether we should really still use 
>>code-signing keys which are not stored in (some kind of) HSM.
>>
>
> The backdoor was discovered by someone using the compromised xz-utils *in their own machines*. So we are lucky we have people eating our own sid stuff before it becomes part of a stable release.

+1 and <3

-- 
PEB

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- xz backdoor
  - From: Sirius <sirius@trudheim.com>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Jonathan Carter <jcc@debian.org>
- Re: xz backdoor
  - From: Marco d'Itri <md@Linux.IT>
- Re: xz backdoor
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: Re: xz backdoor
Next by Date: Re: xz backdoor
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread