Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)

[Giovanni Biscuolo]

Hello Skyler,

Skyler Ferris <skyvine@protonmail.com> writes:

> On 4/12/24 23:50, Giovanni Biscuolo wrote:

>> general reminder: please remember the specific scope of this (sub)thread

[...]

>> (8734s1mn5p.fsf@xelera.eu/">https://yhetil.org/guix/8734s1mn5p.fsf@xelera.eu/)
>>
>> ...and if needed read that message again to understand the context,
>> please.
>>
> I assume that this was an indirect response to the email I sent 
> previously where I discussed the problems with PGP signatures on release 
> files.

No, believe me! I'm sorry I gave you this impression. :-)

> I believe that this was in scope

To be clear: not only I did not mean to say - even indirectly - that you
where out of scope _or_ that you did not understand the context.

Also, I really did not mean to /appear/ as the "coordinator" of this
(sub)thread and even less to /appear/ as the one who decides what's in
scope and what's OT; obviously everyone is absolutely free to decide
what is in scope and that she or he understood the context .

> because of the discussion about whether to use VCS checkouts which
> lack signatures or release tarballs which have signatures.

I still have not commented what you discussed just because I lack time,
not interest;  if I can I'll do it ASAP™ :-(

[...]

Thanks! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature