Ulrich Mueller <ulm@gentoo.org> writes:

>>>>>> On Wed, 29 May 2024, Sam James wrote:
>
>> # Sam James <sam@gentoo.org> (2024-05-29)
>> # OpenPGP key of malicious xz co-maintainer. This key is no longer used
>> # by any ebuilds in tree. Removal on 2024-06-29.
>> # Bug #928134.
>> sec-keys/openpgp-keys-jiatan
>
> Just out of interest, by what chain of trust was this key added, in the
> first place?

I have been a member of the xz community for several years and was
around before Jia came into the picture, and was around as he became a
contributor, developer, and eventually co-maintainer. Him being a
release manager was not a surprise and it was done with Lasse's consent
(although, as we now know, he felt pressured into it).

That is, there's no chain of trust verification which would've helped here. That
said, his key was signed by Lasse's anyway.

But in general for verify-sig stuff, we tend to rely on TOFU for new
packages, some sort of statement where possible / signing for changing
in keys from the same person or a new release manager, but it's not
always
possible.

>
> Ulrich

thanks,
sam