El 31/03/24 a las 00:53, Christian Kastner escribió: > On 2024-03-30 22:59, Santiago Ruano Rincón wrote: > > The backdoor was discovered by someone using the compromised xz-utils *in their own machines*. So we are lucky we have people eating our own sid stuff before it becomes part of a stable release. > > The luck was that this particular compromise was discovered, not that it > happened. I don't say the opposite. > > I agree that dogfooding is important for discovering quality issues, but > I think it's a poor argument for discovering security issues, especially > if it concerns a host which is used for building and signing packages. > > As I mentioned earlier, I think containers are one good way to have > almost the best of both worlds. One can do anything one could do on > host, all while being isolated from that host, and with very little > overhead but also a ton of useful extra features. I don't see the real benefit. As others have said, the best solution is to relay on HSW for handling the cryptographic material.
Attachment:
signature.asc
Description: PGP signature