Re: xz backdoor
Hi!
On Sat, 30 Mar 2024 at 14:32, Andrey Rakhmatullin <wrar@debian.org> wrote:
> On Sat, Mar 30, 2024 at 10:49:33AM +0200, Jonathan Carter wrote:
> > Another big question for me is whether I should really still
> > package/upload/etc from an unstable machine. It seems that it may be prudent
> > to consider it best practice to work from stable machines where any private
> > keys are involved. For me it's just been so convenient to use unstable
> > because it helps track changes that affect my users by the time it hits
> > stable and also find bugs early that I care about, but perhaps I just need
> > to make that adjustment and find more efficient ways to track unstable
> > (perhaps on additional machines / VMs / etc). Not sure how other DDs think
> > about this, but I'm also curious how they will deal with this, because
> > there's near to no filter between unstable and the outside world, and this
> > is probably not the last time someone will try something like this.
> For me it's simple: if I'm forced to run my tools not on the host but in
> some kind of inconvenient VM/chroot/whatever, I'll just stop contributing.
I am doing all my builds inside a (Podman) container with the sources
loop-mounted. Thus I can use git and visual code editor directly on
sources with full access, but when the build runs, it is fully inside
a container that has no host access nor even network access. To
achieve this I wrote a tool which you might want to check out:
https://salsa.debian.org/otto/debcraft
Reply to: