On April 12, 2019 12:40:58 PM GMT+02:00, Hans-Christoph Steiner <[email protected]> wrote: > >Also, more bad news: it seems they kept their GPG signing key for their >Debian packages online: > >https://github.com/matrix-org/matrix.org/issues/364 > >You should immediately remove the riot Debian repo since the install >process of deb packages runs things as root. You can see whether your >Debian-ish machine has this repo by doing: > >$ grep riot.im /etc/apt/sources.list /etc/apt/sources.list.d/* > >.hc > >Abel Luck: >> Also folks: >> >> If you still have Riot open and it hasn't logged you out yet, you >need >> to export your E2E room keys so you don't lose your chat history. >> >> Click your profile icon in the top left >> Choose settings, then security >> Click export E2E room keys >> Create a new secure password you store in your password manager to >> encrypt the keys with >> Save them and await for the service to come back so you can import >them >> again >> >> ~abel >> _______________________________________________ >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> To unsubscribe, email: [email protected] >> > >-- >PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 >https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 >_______________________________________________ >List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >To unsubscribe, email: [email protected]
More details in the already linked blog post: > This confirms that GPG keys used for signing packages were compromised. These keys are used for signing the synapse debian repository (AD0592FE47F0DF61), and releases of Riot/Web (E019645248E8F4A1). Both keys have now been revoked. The window of compromise for the keys started from April 4th; there have been no Synapse releases since then. There has been one release of Riot/Web (1.0.7), however as the key was passphrased and based on our initial analysis of the release, we believe it to be secure. Marcus _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
