Closed ecki closed 2 months ago
I have reviewed the state of the repository. Everything is fine, normal bugs only.
The SECURITY.md changes were destroyed by force-push because I didn't have those commits locally and I had pushed commits to git.tukaani.org when GitHub was inaccessible to me.
I think the question is if JiaT75 was able to pubish releases in public release repositories.
The first commit was on 9th Dec 2022 and the last tag version 1.9 was released in 2021. So at least the version in Debian Sid package repository should be safe.
To Sonatype? No, that's my account which I obviously wouldn't share.
Maven repositories, releases, tarballs, etc all don't contain any suspicious bytecode from my investigation. Based on how sophisticated this attack is, I wouldn't believe they'd try to attack something so easily reverse engineered. I recommend closure of this as there seems to be nothing phishy going on.
I suppose there could be intentionally introduced vulnerabilities just relating to poor code, but I don't believe that should be a worry from what I've read. I'd definitely consider this repository safe.
Describe the bug
The current xz-util supply chain attack was caused by the same user account which is also a contributor here. Can you review the contributions and and also the latest commits about gouvernance changes (security.md).
Version
All
Operating System
All
Relevant log output
No response