Mikel Olasagasti wrote: > For whatever reason Source for xz was changed 2 months ago[1] to use > GH releases instead of tukaani.org site.
The public key jia_tan_pubkey.txt did not change at the same time. It was introduced on 2023-05-04 when the package was updated to version 5.4.3. Apparently the current tarballs on github.com and older tarballs on tukaani.org were signed with the same OpenPGP key. Either the attacker has been preparing this for a long time, and is able to upload files to tukaani.org too, or else the attacker has compromised an honest developer and gained access to their secret OpenPGP key, their Github account, and probably all of their other credentials. Björn Persson
pgpcAJciGABWI.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
