[clarification] Packages built during potential compromise in 2019
First of all apologies for my nescience about the recent security issue on buildfarm but I truly appreciate the quick turnout!
For the packages that are built and distributed while the security problem was present, is there any clarification and recommendation for how to deal with them?
I can imagine there might be many computers out in the world that have those packages installed on, and I wonder if those packages need to be wiped out. If upgrading packages is recommended, for some of those systems (e.g. production system deployed at users site) it might not be trivial to do so.
The best thing closest to the information I'm looking for is from discourse.ros.org#9342/8 by @nuclearsandwich, from which I'm not yet sure about the type of packages I'm concerned of:
So far we have no indication that the intrusion was anything more than a commodity attack by a group looking to hijack CPU cycles. But we are unlikely to ever be able to completely rule out malicious interference in the ROS binary packaging pipeline. So in an abundance of caution we are (i) continuing to rebuild everything that we reasonably can and (ii) relocating the rest.
I'm not an authority here (hence the comment), but seeing as all packages have been rebuilt from scratch, installing all available updates should get you "in the clear".