Sam James posted on Wed, 29 May 2024 19:37:47 +0100 as excerpted:

> # Sam James <> (2024-05-29)
> # OpenPGP key of malicious xz co-maintainer. This key is no longer used
> # by any ebuilds in tree. Removal on 2024-06-29.
> # Bug #928134.
> sec-keys/openpgp-keys-jiatan

I'd suggest adding the xzutils GLSA and/or version mask and removal commit 
tags so people unfamiliar with the story coming across this in the git 
history say five years from now can easily see that Gentoo took the proper 
actions with appropriate timing.

Also, might not hurt to make that "malicious xz upstream former co-
maintainer" or some such, making even clearer that it wasn't gentoo-level 
package-maintainer, and that they *ARE* former.

Finally, could we update security practices (maybe it's already in-
process?) to ensure the bad key is masked and removed earlier, along with 
the bad packages/package-versions?  I've no explanation how it could 
happen without a (n entirely theoretical, AFAIK) gentoo-level accomplice 
outing themselves, but it would sure look bad if some how, some way, 
something (even in an overlay) inexplicably started using such a key again 
while it was still in-tree.  Maybe even provide an expedited security 
exception of some sort from normal tree-cleaning procedures for the sec-
keys category?

Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Reply via email to