Sam James posted on Wed, 29 May 2024 19:37:47 +0100 as excerpted: > # Sam James <s...@gentoo.org> (2024-05-29) > # OpenPGP key of malicious xz co-maintainer. This key is no longer used > # by any ebuilds in tree. Removal on 2024-06-29. > # Bug #928134. > sec-keys/openpgp-keys-jiatan
I'd suggest adding the xzutils GLSA and/or version mask and removal commit tags so people unfamiliar with the story coming across this in the git history say five years from now can easily see that Gentoo took the proper actions with appropriate timing. Also, might not hurt to make that "malicious xz upstream former co- maintainer" or some such, making even clearer that it wasn't gentoo-level package-maintainer, and that they *ARE* former. Finally, could we update security practices (maybe it's already in- process?) to ensure the bad key is masked and removed earlier, along with the bad packages/package-versions? I've no explanation how it could happen without a (n entirely theoretical, AFAIK) gentoo-level accomplice outing themselves, but it would sure look bad if some how, some way, something (even in an overlay) inexplicably started using such a key again while it was still in-tree. Maybe even provide an expedited security exception of some sort from normal tree-cleaning procedures for the sec- keys category? -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
