On 4/4/24 14:04, Arnie T via devel wrote:
Hi Stephen,
Thanks for the explanation.
I just caught up with the article at the New York Times,
Did One Guy Just Stop a Huge Cyberattack?
https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html
And the comic that looks like it fits the problem I'm most noticing here!
https://xkcd.com/2347/
I have to admit that I still don't know what the best or most official
"At least do this" instruction page is for a Fedora user.
I don't see anything at the main https://fedoraproject.org/ website or
its "News & Announcements" page.
TL;DR: as with most security issues, end users should update their systems.
I think you may be caught in some news exaggeration. Don't get me wrong,
this hack was a huge thing, but it was discovered early enough that most
(i'd guess almost all) fedora users wont' have to do anything.
For Fedora, the problem package was only in Fedora 40 Beta and Fedora
Rawhide. If you are not running these packages, this isn't more than a
"wow, that was a near miss" for the end user. If you are running either
version, the xz maintainer has already rolled back the problem update,
so if you use "dnf update" you are safe.
Because of a stroke of luck (finding this as early as we did) its as
simple as that, we have an assumed good version that users can 'update'
to, and beyond that, us developers need to verify that the assumed good
version is actually good, and if it isn't, issue new updates.
In this thread its becoming about the details of the process. But not
yet about a solution. All of which I get.
And in private emails people are insisting on sending to me about how
I'm unreasonable for asking the questions, and "should have"
understood this or that.
So, with your discussion the best guess I can some up with is to make
sure XZ is downgraded and just hope that one of this Jia Tan's 6000+
commits are still hidden in some other project with not enough eyes.
Or that the XKCD coming true doesn't happen again.
Cheers!
Arnie
--
_______________________________________________
devel mailing list --devel@lists.fedoraproject.org
To unsubscribe send an email todevel-le...@lists.fedoraproject.org
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report
it:https://pagure.io/fedora-infrastructure/new_issue
--
Cheers,
Guinevere Larsen
She/Her/Hers
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
