Hi, how should we react to the compromised xz-utils upload?
Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding stuff. On Debian side AFAIU currently amd64 buildds are paused and pending reinstall (plus rotation of key material, both OpenPGP and SSH). People are starting to investigate packages that have been built since the compromised xz-utils was uploaded, including packages built for stable suites using reproducible builds. Is there someone keeping track of this? Should we also reset the archive to some prior state and rebuilt packages like Ubuntu? Do we need to revert to an earlier date as vulnerable versions have been uploaded to experimental on 2024-02-01 (but the earlier version might only have corrupted test files, not the payload enabler)? If so, which suites and which architectures? (This will likely take a while to prepare.) Do we need any other immediate actions? Should we use something other than mail to keep track of what we want to do? (Mail threads can become hard to keep track of after all.) (Let us please keep future improvements such as more isolated builds out of this particular discussion.) Ansgar
