@drewdevault according to https://tukaani.org/xz-backdoor/ this was already the case.
"Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me."
Top-level
Kevin
@drewdevault according to https://tukaani.org/xz-backdoor/ this was already the case. "Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me." 3 comments
Kevin
@drewdevault a new maintainer can do one or more innocent releases. Their keys are trusted, and then they can start incorporating malicious changes.
Drew DeVault
@ikke indeed, but at least it makes it a matter of record when the handover applied to a downstream distro, and gives you an opportunity to say "hm... that guy showed up out of nowhere and took over this critical low-level project, something smells..." I would have been suspicious of this even from the initial hand-over, *if* I had done the due diligence, so making that part of the process might be a good idea? |
@ikke well, did anyone downstream verify the signatures? I only know of Arch Linux as incorporating upstream release signatures into their build process, and they do so inconsistently. So even if they were signed I don't think that means there are processes to do due diligence