Email or username:

Password:

Forgot your password?
All posts Drew's posts Post Back to profile
Top-level
Kevin

@drewdevault according to tukaani.org/xz-backdoor/ this was already the case.

"Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me."

2 April at 9:25 | Wall-to-wall | Open on ipv6.social
3 comments
Drew DeVault

@ikke well, did anyone downstream verify the signatures? I only know of Arch Linux as incorporating upstream release signatures into their build process, and they do so inconsistently. So even if they were signed I don't think that means there are processes to do due diligence

2 April at 9:26 | Open on fosstodon.org
Kevin

@drewdevault a new maintainer can do one or more innocent releases. Their keys are trusted, and then they can start incorporating malicious changes.

2 April at 9:31 | Open on ipv6.social
Drew DeVault

@ikke indeed, but at least it makes it a matter of record when the handover applied to a downstream distro, and gives you an opportunity to say "hm... that guy showed up out of nowhere and took over this critical low-level project, something smells..."

I would have been suspicious of this even from the initial hand-over, *if* I had done the due diligence, so making that part of the process might be a good idea?

2 April at 9:34 | Open on fosstodon.org
Go Up