Implications of xz Backdoor

[jmertic]

As requested by @lgritz - short discussion on the implications for our projects.

Reading materials:

• Slack Thread discussion
• @JeanChristopheMorinPerso thoughts
• OpenSSF blog post

[jmertic]

Meeting scheduled for 4/22 - https://zoom-lfx.platform.linuxfoundation.org/meeting/92976878404?password=e38448b3-3540-4462-998b-db064f066499

[lgritz]

4/22 maybe?

[jmertic]

🤦 - good catch @lgritz . Fixed now

[jmertic]

Meeting held 4/22 - notes at https://hackmd.io/19JjhwdVTOqyWGBxVVxiPg?both#Meeting-notes-2024-04-22

Recommended actions from the group:

• Develop guidelines for projects for considering new maintainers and managing existing maintainers.
• Assessment of hardware/software environments where projects don't have the resources/expertise to adequately review incoming PRs ( namely Windows support, but also specialty architectures and GPUs ).
• Take Cary's list ( https://wiki.aswf.io/display/OEXR/OpenEXR+Project+Security+Hardening+Steps ) and build specific docs for project leads to follow to implement. Also, hold office hours for project leads to work with someone to help set it up.
• Develop a policy for accepting binary blobs.