[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Coordinate response to xz-utils (DSA 5649-1)



Ansgar 🙀 <ansgar@43-1.org> wrote on 29/03/2024 at 23:59:38+0100:

> Hi,
>
> how should we react to the compromised xz-utils upload?
>
> Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding
> stuff.
>
> On Debian side AFAIU currently amd64 buildds are paused and pending
> reinstall (plus rotation of key material, both OpenPGP and SSH).
>
> People are starting to investigate packages that have been built since
> the compromised xz-utils was uploaded, including packages built for
> stable suites using reproducible builds. Is there someone keeping track
> of this?
>
> Should we also reset the archive to some prior state and rebuilt
> packages like Ubuntu? Do we need to revert to an earlier date as
> vulnerable versions have been uploaded to experimental on 2024-02-01
> (but the earlier version might only have corrupted test files, not the
> payload enabler)? If so, which suites and which architectures? (This
> will likely take a while to prepare.)

Considering the payload enabler, I'd focus on amd64 arch and not touch
the archive for anything else.

> Do we need any other immediate actions?
>
> Should we use something other than mail to keep track of what we want
> to do? (Mail threads can become hard to keep track of after all.)

Not sure, but RT could serve this purpose I guess. Or, alternatively, a
(reasonably private) pad.

> (Let us please keep future improvements such as more isolated builds
> out of this particular discussion.)

-- 
PEB

Attachment: signature.asc
Description: PGP signature


Reply to: