Re: Coordinate response to xz-utils (DSA 5649-1)

Hi, On 2024-03-29 23:59, Ansgar  wrote: > Hi, > > how should we react to the compromised xz-utils upload? > > Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding > stuff. > > On Debian side AFAIU currently amd64 buildds are paused and pending > reinstall (plus rotation of

Re: Coordinate response to xz-utils (DSA 5649-1)

On Fri, Mar 29, 2024 at 11:59:38PM +0100, Ansgar  wrote: > Should we also reset the archive to some prior state and rebuilt > packages like Ubuntu? Do we need to revert to an earlier date as > vulnerable versions have been uploaded to experimental on 2024-02-01 > (but the earlier version might

Re: Reproducible Builds for recent Debian security updates

Hi Vagrant, On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: > Philipp Kern asked about trying to do reproducible builds checks for > recent security updates to try to gain confidence about Debian's buildd > infrastructure, given that they run builds in sid chroots which may

Re: Coordinate response to xz-utils (DSA 5649-1)

On Sat, Mar 30, 2024 at 10:28:04AM +0100, Bastian Blank wrote: > We have a suite with some project management capabilities: salsa. Let's > just use it instead of ad-hoc tools. I don't think we have something > better right now? This is now https://salsa.debian.org/ftp-team/xz-2024-incident/

Re: Reproducible Builds for recent Debian security updates

On 2024-03-30, Salvatore Bonaccorso wrote: > On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: >> Philipp Kern asked about trying to do reproducible builds checks for >> recent security updates to try to gain confidence about Debian's buildd >> infrastructure, given that they run

Re: Reproducible Builds for recent Debian security updates

On 2024-03-29, Vagrant Cascadian wrote: > So far, I have not found any reproducibility issues; everything I tested > I was able to get to build bit-for-bit identical with what is in the > Debian archive. > > I only tested bookworm security updates (not bullseye) ... > Not yet finished building: >

Re: Reproducible Builds for recent Debian security updates

Hi, On Sat, Mar 30, 2024 at 03:05:03PM -0700, Vagrant Cascadian wrote: > On 2024-03-30, Salvatore Bonaccorso wrote: > > On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: > >> Philipp Kern asked about trying to do reproducible builds checks for > >> recent security updates to try

Re: Reproducible Builds for recent Debian security updates

On 2024-03-30, Vagrant Cascadian wrote: > On 2024-03-30, Salvatore Bonaccorso wrote: >> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: >>> Philipp Kern asked about trying to do reproducible builds checks for >>> recent security updates to try to gain confidence about Debian's