From: Duncan <1i5t5.duncan@cox.net>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] Re: Last rites: sec-keys/openpgp-keys-jiatan
Date: Thu, 30 May 2024 06:49:32 -0000 (UTC) [thread overview]
Message-ID: <pan$16f6b$9d9327a2$12230b4b$b35cedd8@cox.net> (raw)
In-Reply-To: 875xuwfoqs.fsf@gentoo.org
Sam James posted on Wed, 29 May 2024 19:37:47 +0100 as excerpted:
> # Sam James <sam@gentoo.org> (2024-05-29)
> # OpenPGP key of malicious xz co-maintainer. This key is no longer used
> # by any ebuilds in tree. Removal on 2024-06-29.
> # Bug #928134.
> sec-keys/openpgp-keys-jiatan
I'd suggest adding the xzutils GLSA and/or version mask and removal commit
tags so people unfamiliar with the story coming across this in the git
history say five years from now can easily see that Gentoo took the proper
actions with appropriate timing.
Also, might not hurt to make that "malicious xz upstream former co-
maintainer" or some such, making even clearer that it wasn't gentoo-level
package-maintainer, and that they *ARE* former.
Finally, could we update security practices (maybe it's already in-
process?) to ensure the bad key is masked and removed earlier, along with
the bad packages/package-versions? I've no explanation how it could
happen without a (n entirely theoretical, AFAIK) gentoo-level accomplice
outing themselves, but it would sure look bad if some how, some way,
something (even in an overlay) inexplicably started using such a key again
while it was still in-tree. Maybe even provide an expedited security
exception of some sort from normal tree-cleaning procedures for the sec-
keys category?
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
next prev parent reply other threads:[~2024-05-30 6:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-29 18:37 [gentoo-dev] Last rites: sec-keys/openpgp-keys-jiatan Sam James
2024-05-30 6:49 ` Duncan [this message]
2024-05-30 13:50 ` [gentoo-dev] " Sam James
2024-05-30 7:42 ` [gentoo-dev] " Ulrich Mueller
2024-05-30 13:53 ` Sam James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='pan$16f6b$9d9327a2$12230b4b$b35cedd8@cox.net' \
--to=1i5t5.duncan@cox.net \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox