top | item 39867431

(no title)

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

discuss

0x0|1 year ago

Looks like the Jia Tan OpenPGP key was replaced a few months ago as well: https://github.com/tukaani-project/tukaani-project.github.io...