Re: xz backdoor

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: xz backdoor
From: Marco d'Itri <md@Linux.IT>
Date: Sat, 30 Mar 2024 17:00:26 +0100
Message-id: <[🔎] Zgg3Gm0aGIdQCMua@bongo.bofh.it>
In-reply-to: <[🔎] 36567ed4-7246-4466-9122-2934d6e9f18f@debian.org>
References: <[🔎] ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <[🔎] 87a5mgkcn4.fsf@hope.eyrie.org> <[🔎] 875xx4k9bv.fsf@hope.eyrie.org> <[🔎] 36567ed4-7246-4466-9122-2934d6e9f18f@debian.org>

On Mar 30, Jonathan Carter <jcc@debian.org> wrote:

> Another big question for me is whether I should really still
> package/upload/etc from an unstable machine. It seems that it may be prudent
If we do not use unstable for development then who is going to?
I think that the real question is whether we should really still use 
code-signing keys which are not stored in (some kind of) HSM.

-- 
ciao,
Marco

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: xz backdoor
  - From: Christian Kastner <ckk@kvr.at>
- Re: xz backdoor
  - From: Andrey Rakhmatullin <wrar@debian.org>
- Re: xz backdoor
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

References:
- xz backdoor
  - From: Sirius <sirius@trudheim.com>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Jonathan Carter <jcc@debian.org>

Prev by Date: Re: Validating tarballs against git repositories
Next by Date: Re: Validating tarballs against git repositories
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread