Re: xz backdoor
Le dim. 31 mars 2024 à 10:17, Sirius <sirius@trudheim.com> a écrit :
> Reduction of complexity is IMHO always worthwhile as it would open the
> door for more people being able to step up as maintainers (taking into
> account that volunteers right this minute might not be overly welcome and
> when they are, they should likely not be near authentication, crypto and
> compression at least initially).
It's worse than that: to make the xz MR looks more legit;
the fake puppet profile "Hans Jansen" also sent _maybe_ legit MR to
random games repos:
https://news.ycombinator.com/item?id=39868390
Here fixing our Salsa tooling could help also making real newcomers
life more enjoyable by always disabling MR again upstream & pristine-tar tar.
I don't see any real good purpose for these unreviewable [*] huge diff;
one could just ping someone with commit access to do
"gbp import-orig --uscan --pristine-tar ; gbp push"
or if absolutely nobody has the time for this maybe a bot could do it ?
BTW it's quite smart to attack Games team:
as we're used to get legit one-off MR from people
never to be seen again later.
[*] https://salsa.debian.org/games-team/endless-sky/-/merge_requests/5
Greetings
Reply to: