Re: Coordinate response to xz-utils (DSA 5649-1)
On Fri, Mar 29, 2024 at 11:59:38PM +0100, Ansgar 🙀 wrote:
> Should we also reset the archive to some prior state and rebuilt
> packages like Ubuntu? Do we need to revert to an earlier date as
> vulnerable versions have been uploaded to experimental on 2024-02-01
> (but the earlier version might only have corrupted test files, not the
> payload enabler)? If so, which suites and which architectures? (This
> will likely take a while to prepare.)
It all depends if we trust the current state of the archive. If we do
not, we need to revert. At least with:
- revert xz-utils to binaries from stable
- remove binaries built since the library reached the buildd chroots
- hope that the remaining ones are still enough to have a running debian
- rebuild the lost packages
Do we have evidence that < 5.6.0 actually contained something? I only
saw changes on something like 2024-02-24 with the added files.
Only amd64 is affected from what was reported.
> Should we use something other than mail to keep track of what we want
> to do? (Mail threads can become hard to keep track of after all.)
We have a suite with some project management capabilities: salsa. Let's
just use it instead of ad-hoc tools. I don't think we have something
better right now?
Let's just create a project, for now in the ftp-team group. It can be
public, because single issues (tasks) can be confidential if needed.
Add security and release team as Reporter, so they can see and modify
everything issue related.
Bastian
--
Hailing frequencies open, Captain.
Reply to: