Re: xz backdoor

To: debian-devel@lists.debian.org, Marco d'Itri <md@Linux.IT>
Subject: Re: xz backdoor
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Sat, 30 Mar 2024 18:59:43 -0300
Message-id: <[🔎] 845606FD-868C-4509-A0B1-5B43228CACF7@riseup.net>
In-reply-to: <[🔎] Zgg3Gm0aGIdQCMua@bongo.bofh.it>
References: <[🔎] ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <[🔎] 87a5mgkcn4.fsf@hope.eyrie.org> <[🔎] 875xx4k9bv.fsf@hope.eyrie.org> <[🔎] 36567ed4-7246-4466-9122-2934d6e9f18f@debian.org> <[🔎] Zgg3Gm0aGIdQCMua@bongo.bofh.it>


Em 30 de março de 2024 13:00:26 GMT-03:00, Marco d'Itri <md@Linux.IT> escreveu:
>On Mar 30, Jonathan Carter <jcc@debian.org> wrote:
>
>> Another big question for me is whether I should really still
>> package/upload/etc from an unstable machine. It seems that it may be prudent
>If we do not use unstable for development then who is going to?
>I think that the real question is whether we should really still use 
>code-signing keys which are not stored in (some kind of) HSM.
>

The backdoor was discovered by someone using the compromised xz-utils *in their own machines*. So we are lucky we have people eating our own sid stuff before it becomes part of a stable release.

Reply to:

Follow-Ups:
- Re: xz backdoor
  - From: Pierre-Elliott Bécue <peb@debian.org>
- Re: xz backdoor
  - From: Leandro Cunha <leandrocunha016@gmail.com>
- Re: xz backdoor
  - From: Christian Kastner <ckk@kvr.at>

References:
- xz backdoor
  - From: Sirius <sirius@trudheim.com>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>
- Re: xz backdoor
  - From: Jonathan Carter <jcc@debian.org>
- Re: xz backdoor
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Re: Is it allowed to remove attribution in public domain "licensed" source code? (and pondering about ftp-level reviews)
Next by Date: Bug#1068113: ITP: libsmb2 -- SMB2/3 client library
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread