Mikel Olasagasti wrote:
For whatever reason Source for xz was changed 2 months ago[1] to use
GH releases instead of
tukaani.org site.
The public key jia_tan_pubkey.txt did not change at the same time. It
was introduced on 2023-05-04 when the package was updated to version
5.4.3. Apparently the current tarballs on
github.com and older tarballs
on
tukaani.org were signed with the same OpenPGP key.
Either the attacker has been preparing this for a long time, and is
able to upload files to
tukaani.org too, or else the attacker has
compromised an honest developer and gained access to their secret
OpenPGP key, their Github account, and probably all of their other
credentials.
Björn Persson