Rich Freeman wrote: > On Sat, Mar 30, 2024 at 10:57 AM Eddie Chapman <ed...@ehuk.net> wrote: > >> No, this is the the bad actor *themselves* being a >> principal author of the software, working stealthily and in very >> sophisticated ways for years, to manoeuvrer themselves and their >> software into a position of trust in the ecosystem whereby they were >> almost able to pull off the mother of all security nightmares for the >> world. > > This is entirely speculative at this point. It isn't certain that the > author is the one behind the exploit, and if they were, it is not known for > how long their intentions were malicious, or even what their motivations > were. It is also unclear what pseudonymous accounts with what projects > are associated with the attacker.
For the purposes of this discussion I'm not speculating nor interested in *who* is behind this, or whether or whoever committed commits was a victim of account takeover. Certain key actions that have been taken over time by whoever is/was behind this do not require any speculation, they speak for themselves, and are clearly malicious. There is no need to wait for anything more to be revealed to be able to plainly see how bad it is. While we wait and see, huge numbers of people might be suffering real and serious consequences of continued use of xz-utils. The consequences may be completely hidden, if you go by how well the bad actor here has managed to hide what they have done. If you are following developments you can see right now with your own eyes how incredibly difficult it is for our smartest people to unravel and pick through what this actor has done. To have faith that everything malicious that the perpetrator has done will be unravelled over time by our collective smart minds by going over the codebase with a fine tooth-comb puts far too much faith in human beings and takes unnecessary risks for something that is not worth that risk when there are alternatives. If you were looking for a compression tool for a new project, why would anyone sane take such risks for such little gain? You just wouldn't. Of course the reason there is hesitancy is because xz has become so deeply entrenched in our world, it's become almost too hard to extrapolate ourselves from it. I dare say the attacker realised this and probably sought to take advantage of that fact. However, I do acknowledge and realise the significant practical difficulties that would be involved in making xz-utils something optional within Gentoo.
