Hi,
On 2024-03-29 23:59, Ansgar wrote:
> Hi,
>
> how should we react to the compromised xz-utils upload?
>
> Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding
> stuff.
>
> On Debian side AFAIU currently amd64 buildds are paused and pending
> reinstall (plus rotation of
On Fri, Mar 29, 2024 at 11:59:38PM +0100, Ansgar wrote:
> Should we also reset the archive to some prior state and rebuilt
> packages like Ubuntu? Do we need to revert to an earlier date as
> vulnerable versions have been uploaded to experimental on 2024-02-01
> (but the earlier version might
Hi Vagrant,
On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
> Philipp Kern asked about trying to do reproducible builds checks for
> recent security updates to try to gain confidence about Debian's buildd
> infrastructure, given that they run builds in sid chroots which may
On Sat, Mar 30, 2024 at 10:28:04AM +0100, Bastian Blank wrote:
> We have a suite with some project management capabilities: salsa. Let's
> just use it instead of ad-hoc tools. I don't think we have something
> better right now?
This is now https://salsa.debian.org/ftp-team/xz-2024-incident/
On 2024-03-30, Salvatore Bonaccorso wrote:
> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
>> Philipp Kern asked about trying to do reproducible builds checks for
>> recent security updates to try to gain confidence about Debian's buildd
>> infrastructure, given that they run
On 2024-03-29, Vagrant Cascadian wrote:
> So far, I have not found any reproducibility issues; everything I tested
> I was able to get to build bit-for-bit identical with what is in the
> Debian archive.
>
> I only tested bookworm security updates (not bullseye)
...
> Not yet finished building:
>
Hi,
On Sat, Mar 30, 2024 at 03:05:03PM -0700, Vagrant Cascadian wrote:
> On 2024-03-30, Salvatore Bonaccorso wrote:
> > On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
> >> Philipp Kern asked about trying to do reproducible builds checks for
> >> recent security updates to try
On 2024-03-30, Vagrant Cascadian wrote:
> On 2024-03-30, Salvatore Bonaccorso wrote:
>> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
>>> Philipp Kern asked about trying to do reproducible builds checks for
>>> recent security updates to try to gain confidence about Debian's