[tutfbhuf]

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

[gpm]

Yes.

I've never had to do it myself but I believe that's common practice with embargos on security vulnerabilities.

[jethro_tell]

And, If you break the embargo too many times then you just find out with the rest of us and that's not a great way to run a distro. I believe openbsd is or was in that position around the time of the intel speculative execution bugs.

[bombcar]

It can lead to amusing cases where the intentional vuln comes in "to improve x" and the quiet fix comes in "to improve x".

[Starlevel004]

xz was masked in the Gentoo repositories earlier today with the stated reason of "Investigating serious bug". No mention of security. It's pretty likely.

[donio]

5.6.1 is masked specifically.

Also, https://mastodon.social/@mgorny@treehouse.systems/1121802382... from a Gentoo dev mentions that Gentoo doesn't use the patch that results in sshd getting linked against liblzma.

As far as I know this is not an official communication channel so don't take it as such.

[NekkoDroid]

This is very likely the case. Arch maintainers do get early information on CVEs just like any other major distro.

But with pacman/makepkg 6.1 (which recently released) git sources can also now be check summed IIRC which is a funny coincidence.