Hi from the peanut gallery,
The xz tarball was only a (minor) part of the problem. A big part of the
backdoor was entirely in git and would be probably also usable if
something else would have been added.
Also, this tight coupling to git makes me uneasy. I like git and it's
one of the best things
On Saturday, 6 April 2024 18:22:22 CEST Sven Brauch wrote:
> This is basically a discussion about whether it is less risky to trust
> the individual developers, or the people with access to the CI signing
> key. You are trading likeliness of there being one bad actor vs. impact
> one bad actor can
