| 28 May 2025 |
 emily | ah, I see :) | 02:04:44 |
| emily | but you don't need to go back more than a few weeks for staging-next to mean no built packages before then would end up in the closure? | 02:05:16 |
| emily | (ignoring FODs) | 02:05:19 |
| emily | world rebuilds happen a lot more than every half-decade | 02:05:28 |
 raboof | emily: starting from an old image reduces the attack surface for supply chain attacks somewhat: an attacker would've had to infect either the 20.03 image or one of a narrower set of more recent packages. but I agree it's somewhat in the 'long tail' of concerns :) | 06:37:26 |
| emily | because even though it "adds" the risk of vulnerabilities in 20.03 producing incorrect results, one can presume that such an elaborate backdoor would have infected the bootstrap tarballs since then? fair enough | 11:16:47 |
