From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3815B1581D3 for ; Thu, 30 May 2024 06:49:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2C7E9E29ED; Thu, 30 May 2024 06:49:39 +0000 (UTC) Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C3A18E29C0 for ; Thu, 30 May 2024 06:49:37 +0000 (UTC) Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1sCZbU-000AWJ-IJ for gentoo-dev@lists.gentoo.org; Thu, 30 May 2024 08:49:36 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] Re: Last rites: sec-keys/openpgp-keys-jiatan Date: Thu, 30 May 2024 06:49:32 -0000 (UTC) Message-ID: References: <875xuwfoqs.fsf@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit User-Agent: Pan/0.158 (Avdiivka; 579538c98bf359d128027ad3bfe006916faeef8e) X-Archives-Salt: 5d1a73b4-895e-4934-a7b8-bda730a34975 X-Archives-Hash: 7209553d0d6c345d7de31003aeb99119 Sam James posted on Wed, 29 May 2024 19:37:47 +0100 as excerpted: > # Sam James (2024-05-29) > # OpenPGP key of malicious xz co-maintainer. This key is no longer used > # by any ebuilds in tree. Removal on 2024-06-29. > # Bug #928134. > sec-keys/openpgp-keys-jiatan I'd suggest adding the xzutils GLSA and/or version mask and removal commit tags so people unfamiliar with the story coming across this in the git history say five years from now can easily see that Gentoo took the proper actions with appropriate timing. Also, might not hurt to make that "malicious xz upstream former co- maintainer" or some such, making even clearer that it wasn't gentoo-level package-maintainer, and that they *ARE* former. Finally, could we update security practices (maybe it's already in- process?) to ensure the bad key is masked and removed earlier, along with the bad packages/package-versions? I've no explanation how it could happen without a (n entirely theoretical, AFAIK) gentoo-level accomplice outing themselves, but it would sure look bad if some how, some way, something (even in an overlay) inexplicably started using such a key again while it was still in-tree. Maybe even provide an expedited security exception of some sort from normal tree-cleaning procedures for the sec- keys category? -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman