Hi Ryan, On Fri, Mar 29 2024, Ryan Prior wrote:
> I'm reading today that a backdoor is present in xz's upstream tarball > (but not in git), starting at version 5.6.0. Source: > https://www.openwall.com/lists/oss-security/2024/03/29/4 Thanks for sending this! This is an extremely serious vulnerability with criminal intent. I cc'd guix-secur...@gnu.org just in case you haven't. > Guix currently packages xz-utils 5.2.8 as "xz" using the upstream > tarball. [...] Should we switch from using upstream tarballs to some > fork with more responsible maintainers? Guix's habit of building from tarballs is a poor idea because tarballs often differ. For example, maintainers may choose to ship a ./configure script that is otherwise not present in Git (although a configure.ac might be). Guix should build from Git. > Is there a way we can blacklist known bad versions? Having said all that, I am not sure Guix is affected. On my systems, the 'detect.sh' script shows no referece to liblzma in sshd. Everyone, please send additional reports. Kind regards Felix