On 2024-03-30 22:59, Santiago Ruano Rincón wrote: > The backdoor was discovered by someone using the compromised xz-utils *in > their own machines*. So we are lucky we have people eating our own sid stuff > before it becomes part of a stable release.
The luck was that this particular compromise was discovered, not that it happened. I agree that dogfooding is important for discovering quality issues, but I think it's a poor argument for discovering security issues, especially if it concerns a host which is used for building and signing packages. As I mentioned earlier, I think containers are one good way to have almost the best of both worlds. One can do anything one could do on host, all while being isolated from that host, and with very little overhead but also a ton of useful extra features. Best, Christian