[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Coordinate response to xz-utils (DSA 5649-1)

Hi,

On 2024-03-29 23:59, Ansgar 🙀 wrote:
> Hi,
> 
> how should we react to the compromised xz-utils upload?
> 
> Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding
> stuff.
> 
> On Debian side AFAIU currently amd64 buildds are paused and pending
> reinstall (plus rotation of key material, both OpenPGP and SSH).

All the 8 existing VMs at csail, conova, grnet and ubc have been
shutdown, and their GPG key have been removed on the dak side. Their SSH
key is managed by puppet, so are still enabled at this time, but their
restricted command has been disabled as they are not allowed to build
any architecture.

2 new VMs have been created, x86-grnet-03 and x86-grnet-04. Currently
they only build buster, bullseye and bookworm and the associated
security suites. I didn't enable backports, as it probably needs to be
audited for the builds after Feb 25, like it was done for the security
suites using reproducible builds.

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net
Reply to: