Following on from the xz-utils code injection, it's clearly critical to validate binary blobs, so I tried to do that and am recording what I found here.
https://lists.mercurial-scm.org/pipermail/mercurial- packaging/2024-August/000737.html is the best validation I could find for mercurial-6.8.1.tar.gz. The upstream signature for this tarball is validates against this key fingerprint, and contains an identical binary blob. This also matches the blob downloadable from https://repo.mercurial-scm.org/hg/rev/3cf9e52f5e27. Sorry I didn't finish reviewing this. I'll get back to it this week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2070443 Title: SRU: Fix critical regression in Mercurial 6.7.x < 6.7.4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mercurial/+bug/2070443/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs