Ansgar 🙀 <ansgar@43-1.org> wrote on 29/03/2024 at 23:59:38+0100: > Hi, > > how should we react to the compromised xz-utils upload? > > Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding > stuff. > > On Debian side AFAIU currently amd64 buildds are paused and pending > reinstall (plus rotation of key material, both OpenPGP and SSH). > > People are starting to investigate packages that have been built since > the compromised xz-utils was uploaded, including packages built for > stable suites using reproducible builds. Is there someone keeping track > of this? > > Should we also reset the archive to some prior state and rebuilt > packages like Ubuntu? Do we need to revert to an earlier date as > vulnerable versions have been uploaded to experimental on 2024-02-01 > (but the earlier version might only have corrupted test files, not the > payload enabler)? If so, which suites and which architectures? (This > will likely take a while to prepare.) Considering the payload enabler, I'd focus on amd64 arch and not touch the archive for anything else. > Do we need any other immediate actions? > > Should we use something other than mail to keep track of what we want > to do? (Mail threads can become hard to keep track of after all.) Not sure, but RT could serve this purpose I guess. Or, alternatively, a (reasonably private) pad. > (Let us please keep future improvements such as more isolated builds > out of this particular discussion.) -- PEB
Attachment:
signature.asc
Description: PGP signature