Jonathan Carter <j...@debian.org> wrote on 30/03/2024 at 09:49:33+0100:
> Hi Russ > > On 2024/03/29 23:38, Russ Allbery wrote: >> I think the big open question we need to ask now is what exactly the >> backdoor (or, rather, backdoors; we know there were at least two versions >> over time) did. > > Another big question for me is whether I should really still > package/upload/etc from an unstable machine. It seems that it may be > prudent to consider it best practice to work from stable machines > where any private keys are involved. For me it's just been so > convenient to use unstable because it helps track changes that affect > my users by the time it hits stable and also find bugs early that I > care about, but perhaps I just need to make that adjustment and find > more efficient ways to track unstable (perhaps on additional machines > / VMs / etc). Not sure how other DDs think about this, but I'm also > curious how they will deal with this, because there's near to no > filter between unstable and the outside world, and this is probably > not the last time someone will try something like this. Needing to be able to see how things I package go on when reaching unstable, I tend to work on testing/unstable laptops. I took some measures to reduce the risks of a permanent compromission: - My main GPG key is not on the machine (it's on a specific device I use only on my workstation); - My subkeys are rotated periodically (two years-ish I'd say); - They are on a YubiKey; - My laptop/workstations are hardened (firewall, usbguard, non-necessary services are removed, …). This of course is not enough to mitigate a full-fledged compromission, but I believe we need to live with some status quo. This time we found out the compromission "fast". But it could also have reached stable-bpo or, like other non-voluntary flaws, lived in software for multiple years. While I'm fine changing the way I do things, I am not sure that there is any reasonable extent we could reach in order to prevent such situations. -- PEB
signature.asc
Description: PGP signature
