oss-security - Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Wed, 10 Apr 2024 17:32:57 +0100
From: Chris Down <chris@...isdown.name>
To: oss-security@...ts.openwall.com
Cc: Sam James <sam@...too.org>, Joey Hess <id@...yh.name>,
	Jonathan Nieder <jrnieder@...il.com>,
	Andres Freund <andres@...razel.de>,
	Lasse Collin <lasse.collin@...aani.org>, xz@...aani.org,
	secalert@...hat.com, team@...urity.debian.org
Subject: Re: Analysis on who is Jia Tan, and who he could work
 for, reading xz.git

I do not think that oss-security is a good location for an identity witch hunt, 
this feels like the wrong place.

Anyway, none of those timestamps are validated, they just come from git. Any 
even slightly competent security agency is going to have obscured them, so 
analysis of them likely just directly plays into their hands.

Slightly more difficult (although of course not impossible) to obscure is the 
actual time of work based on time of receipt by other parties, but I certainly 
wouldn't do analysis on unverified timezones.

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.