Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)

[Skyler Ferris]

On 4/13/24 05:47, Giovanni Biscuolo wrote:
> Hello Skyler,
>
> Skyler Ferris <skyvine@protonmail.com> writes:
>
>> On 4/12/24 23:50, Giovanni Biscuolo wrote:
>>> general reminder: please remember the specific scope of this (sub)thread
> [...]
>
>>> (8734s1mn5p.fsf@xelera.eu/">https://yhetil.org/guix/8734s1mn5p.fsf@xelera.eu/)
>>>
>>> ...and if needed read that message again to understand the context,
>>> please.
>>>
>> I assume that this was an indirect response to the email I sent
>> previously where I discussed the problems with PGP signatures on release
>> files.
> No, believe me! I'm sorry I gave you this impression. :-)
>
>> I believe that this was in scope
> To be clear: not only I did not mean to say - even indirectly - that you
> where out of scope _or_ that you did not understand the context.
>
> Also, I really did not mean to /appear/ as the "coordinator" of this
> (sub)thread and even less to /appear/ as the one who decides what's in
> scope and what's OT; obviously everyone is absolutely free to decide
> what is in scope and that she or he understood the context .
>
>> because of the discussion about whether to use VCS checkouts which
>> lack signatures or release tarballs which have signatures.
> I still have not commented what you discussed just because I lack time,
> not interest;  if I can I'll do it ASAP™ :-(
>
> [...]
>
> Thanks! Gio'
>
Thanks for clarifying! Misunderstandings happen sometimes. I look 
forward to hearing  your thoughts if you're able to find time to share 
them! =)