From: Sam James <sam@gentoo.org>
To: Ulrich Mueller <ulm@gentoo.org>
Cc: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Last rites: sec-keys/openpgp-keys-jiatan
Date: Thu, 30 May 2024 14:53:15 +0100 [thread overview]
Message-ID: <87r0dje790.fsf@gentoo.org> (raw)
In-Reply-To: <umso7yccc@gentoo.org> (Ulrich Mueller's message of "Thu, 30 May 2024 09:42:59 +0200")
[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]
Ulrich Mueller <ulm@gentoo.org> writes:
>>>>>> On Wed, 29 May 2024, Sam James wrote:
>
>> # Sam James <sam@gentoo.org> (2024-05-29)
>> # OpenPGP key of malicious xz co-maintainer. This key is no longer used
>> # by any ebuilds in tree. Removal on 2024-06-29.
>> # Bug #928134.
>> sec-keys/openpgp-keys-jiatan
>
> Just out of interest, by what chain of trust was this key added, in the
> first place?
I have been a member of the xz community for several years and was
around before Jia came into the picture, and was around as he became a
contributor, developer, and eventually co-maintainer. Him being a
release manager was not a surprise and it was done with Lasse's consent
(although, as we now know, he felt pressured into it).
That is, there's no chain of trust verification which would've helped here. That
said, his key was signed by Lasse's anyway.
But in general for verify-sig stuff, we tend to rely on TOFU for new
packages, some sort of statement where possible / signing for changing
in keys from the same person or a new release manager, but it's not
always
possible.
>
> Ulrich
thanks,
sam
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 377 bytes --]
prev parent reply other threads:[~2024-05-30 13:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-29 18:37 [gentoo-dev] Last rites: sec-keys/openpgp-keys-jiatan Sam James
2024-05-30 6:49 ` [gentoo-dev] " Duncan
2024-05-30 13:50 ` Sam James
2024-05-30 7:42 ` [gentoo-dev] " Ulrich Mueller
2024-05-30 13:53 ` Sam James [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0dje790.fsf@gentoo.org \
--to=sam@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=ulm@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox