Re: xz backdoor

To: debian-devel@lists.debian.org
Subject: Re: xz backdoor
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 1 Apr 2024 16:47:05 +0100
Message-id: <[🔎] ZgrW-Ua_arjCowKK@riva.ucam.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 871q7p86a1.fsf@hope.eyrie.org>
References: <ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <87a5mgkcn4.fsf@hope.eyrie.org> <875xx4k9bv.fsf@hope.eyrie.org> <Zgg54bWBnxFob0S5@acer.trudheim.com> <ZghyzneqR_3Oraxo@riva.ucam.org> <20240331073509.has5xndffkjnrzss@shell.thinkmo.de> <ZgmT45FE2RaLU/M4@localhost> <[🔎] 20240401100209.p6zfilatmve5opn3@shell.thinkmo.de> <[🔎] 871q7p86a1.fsf@hope.eyrie.org>

On Mon, Apr 01, 2024 at 08:13:58AM -0700, Russ Allbery wrote:
> Bastian Blank <waldi@debian.org> writes:
> > I don't understand what you are trying to say.  If we add a hard check
> > to lintian for m4/*, set it to auto-reject, then it is fully irrelevant
> > if the upload is a tarball or git.
> 
> Er, well, there goes every C package for which I'm upstream, all of which
> have M4 macros in m4/* that do not come from an external source.

Ditto.  And a bunch of the packages where I'm not upstream too, such as
that famously enthusiastic adopter of all things GNU, OpenSSH.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: xz backdoor
  - From: "Theodore Ts'o" <tytso@mit.edu>

References:
- Re: xz backdoor
  - From: Bastian Blank <waldi@debian.org>
- Re: xz backdoor
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Validating tarballs against git repositories
Next by Date: Re: xz backdoor
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread