On 2024-03-31 01:33, Eli Schwartz wrote:
On 3/29/24 11:07 PM, Eddie Chapman wrote:
Given what we've learnt in the last 24hrs about xz utilities, you
could
forgive a paranoid person for seriously considering getting rid
entirely
of them from their systems, especially since there are suitable
alternatives available. Some might say that's a bit extreme, xz-utils
will get a thorough audit and it will all be fine. But when a
malicious
actor has been a key maintainer of something as complex as a
decompression
utility for years, I'm not sure I could ever trust that codebase
again.
Maybe a complete rewrite will emerge, but I'm personally unwilling to
continue using xz utils in the meantime for uncompressing anything on
my
systems, even if it is done by an unprivileged process.
It suffices to downgrade to the version of xz before a social
engineering attack by a malicious actor to gain maintainership of the
xz
project.
Have you been linked to this yet?
https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html
Wed, 29 Jun 2022 13:07:07 -0700
This is 2 years ago.
Had I seen someone say that a bad actor would spend years gaining the
trust of FOSS
project maintainers in order to gain commit access and introduce such
sophisticated
back doors, I would have told them to take their meds.
This is insane.
Not even this seems impossible anymore:
https://01.me/en/2014/11/insert-backdoor-into-compiler/
If this happened to something like firefox, I don't think anyone would
have found out.
No one bats an eye if a website loads 0.5s longer.
--
Linux-gentoo-x86_64-Intel-R-_Core-TM-_i5-7400_CPU_@_3.00GHz
COMMON_FLAGS="-O3 -pipe -march=native -fno-stack-protector
-ftree-vectorize -ffast-math -funswitch-loops -fuse-linker-plugin -flto
-fdevirtualize-at-ltrans -fno-plt -fno-semantic-interposition
-falign-functions=64 -fgraphite-identity -floop-nest-optimize"
USE="-* git verify-sig rsync-verify man alsa X grub ssl ipv6 lto
libressl olde-gentoo asm native-symlinks threads jit jumbo-build minimal
strip system-man"
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd
/usr/lib/modules-load.d /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus
/lib/udev /usr/share/icons /usr/share/applications
/usr/share/gtk-3.0/emoji"
