From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5F6221581D3 for ; Thu, 30 May 2024 13:53:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 10E24E2A4B; Thu, 30 May 2024 13:53:21 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B372DE2A38 for ; Thu, 30 May 2024 13:53:20 +0000 (UTC) From: Sam James To: Ulrich Mueller Cc: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Last rites: sec-keys/openpgp-keys-jiatan In-Reply-To: (Ulrich Mueller's message of "Thu, 30 May 2024 09:42:59 +0200") Organization: Gentoo References: <875xuwfoqs.fsf@gentoo.org> Date: Thu, 30 May 2024 14:53:15 +0100 Message-ID: <87r0dje790.fsf@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Archives-Salt: 1da5d276-45d7-418e-b51c-3bc33a9b9a62 X-Archives-Hash: 5b2a2ed37f676601e5c2861cadcab992 --=-=-= Content-Type: text/plain Ulrich Mueller writes: >>>>>> On Wed, 29 May 2024, Sam James wrote: > >> # Sam James (2024-05-29) >> # OpenPGP key of malicious xz co-maintainer. This key is no longer used >> # by any ebuilds in tree. Removal on 2024-06-29. >> # Bug #928134. >> sec-keys/openpgp-keys-jiatan > > Just out of interest, by what chain of trust was this key added, in the > first place? I have been a member of the xz community for several years and was around before Jia came into the picture, and was around as he became a contributor, developer, and eventually co-maintainer. Him being a release manager was not a surprise and it was done with Lasse's consent (although, as we now know, he felt pressured into it). That is, there's no chain of trust verification which would've helped here. That said, his key was signed by Lasse's anyway. But in general for verify-sig stuff, we tend to rely on TOFU for new packages, some sort of statement where possible / signing for changing in keys from the same person or a new release manager, but it's not always possible. > > Ulrich thanks, sam --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZliEzF8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZChjQEA0eRxfH+qPBnVAG4k3veq2yjHq2J87WMctRBV 2I8rTQMA/RjJeQbfXP5lw1X/BXPnMp3enK/hpJxOAPcexX5/NvUJ =XFuY -----END PGP SIGNATURE----- --=-=-=--