Santiago Ruano Rincón <santiagorr@riseup.net> wrote on 30/03/2024 at 22:59:43+0100: > Em 30 de março de 2024 13:00:26 GMT-03:00, Marco d'Itri <md@Linux.IT> escreveu: >>On Mar 30, Jonathan Carter <jcc@debian.org> wrote: >> >>> Another big question for me is whether I should really still >>> package/upload/etc from an unstable machine. It seems that it may be prudent >>If we do not use unstable for development then who is going to? >>I think that the real question is whether we should really still use >>code-signing keys which are not stored in (some kind of) HSM. >> > > The backdoor was discovered by someone using the compromised xz-utils *in their own machines*. So we are lucky we have people eating our own sid stuff before it becomes part of a stable release. +1 and <3 -- PEB
Attachment:
signature.asc
Description: PGP signature