Its also kinda enlightening on how distros react to the #xz backdoor:
* #arch "lets rerelease the version from the untrusted party, we run autogen.sh ourselves now"
* #debian "lets roll back to the last version not having any changes by the untrusted party and rebuild our infra from scratch"
I know which of these I trust more as an upstream ...
Bubu :progress_pride:
in reply to Bjoern Michaelsen • • •Debian didn't roll back to a version before any commits from the malicious actor either. As far as I understand this is difficult to do because of API breakage.
See here for the discussion around that: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
#1068024 - revert to version that does not contain changes by bad actor - Debian Bug report logs
bugs.debian.org