From: Henrik.Carlqvist@deadspam.com   
      
   On Sat, 30 Mar 2024 16:50:36 +0000, Rich wrote:   
   > You can sign your release packages, which indicate they came from you.   
   > And you can verify the signatures of your dependences to verify they   
   > came from the dependency author.  But if the dependency author starts   
   > running a "backdoor op" on your dependency, you are owned non-the-less.   
   > You verified you were using the proper, official, dependency.  It's just   
   > that the proper, official, one is the one that has been backdoored.   
      
   Yes, this was even more sneaky. A malicious user has spent a couple of   
   years to gain the trust to become co-maintainer of project xz. This   
   malicious user "Jia Tan" could sign his commits and release packages with   
   GPG keys probably built only for the purpose of a fake "Jia Tan" account.   
      
   The sneaky part in this is not that the main developer of xz trusted "Jia   
   Tan". The sneaky part is not that Linux distributions trusted official   
   source packages of xz. The sneaky part is that OpenSSH which does not   
   even itself depend upon xz or liblzma got a backdoor on systemd based   
   systems.   
      
   regards Henrik   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)