Am Sun, Mar 31, 2024 at 08:33:20AM -0400 schrieb Rich Freeman:
> (moving this to gentoo-user as this is really getting off-topic for -dev)
> […]
> We're going on almost 20 years since the Snowden revelations, and back
> then the NSA was basically doing intrusion on an industrial scale.
Weeaalll,
No argument from me. That JiaTan dude had other projects forked he was
looking at. And none of them are good news. zstd. lz4. libarchive.
squashfs-tools. But still, I think its good news if people already
figured how to turn it off in a few days.
On 4/1/2024 1:36 AM, Michael Orlitzky wrote:
On Mon, 2024-04-01 at 01:32 +0300, Alexandru N. Barloiu wrote:
> https://piaille.fr/@zeno/112185928685603910
>
> There's an ENV var you can set that is a kill switch for the whole thing :)
>
For the part that we found :)
The author of the backdoor had commit access to the upstream repository
https://piaille.fr/@zeno/112185928685603910
There's an ENV var you can set that is a kill switch for the whole thing :)
On 4/1/2024 1:29 AM, Michael Orlitzky wrote:
On Sun, 2024-03-31 at 18:19 -0400, Michael Orlitzky wrote:
The old version will show up as liblzma.so.5.6.1. Restart anything
On Sun, 2024-03-31 at 18:19 -0400, Michael Orlitzky wrote:
>
> The old version will show up as liblzma.so.5.6.1. Restart anything that
> uses it.
Or liblzma.so.5.6.0
On Sun, 2024-03-31 at 12:04 -0400, Rich Freeman wrote:
>
> It is not necessary to rebuild anything, unless you're doing something
> so unusual that you'd already know the answer to the question.
>
You should probably reboot afterwards though.
For a more fine-grained approach, you can check for
On Sun, Mar 31, 2024 at 5:36 PM Wol wrote:
>
> On 31/03/2024 20:38, Håkon Alstadheim wrote:
> > For commercial entities, the government could just contact the company
> > and apply pressure, no need to sneak the backdoor in. Cf. RSA .
>
> Serving a "secret compliance" notice on a third party is
On 31/03/2024 20:38, Håkon Alstadheim wrote:
For commercial entities, the government could just contact the company
and apply pressure, no need to sneak the backdoor in. Cf. RSA .
Apply pressure to who? At the end of the day, the only people the
government can trust are their own agents.
Den 31.03.2024 14:33, skrev Rich Freeman:
(moving this to gentoo-user as this is really getting off-topic for -dev)
It might also happen with commercial software, but the challenge there
is HR as you can't just pay 1 person to masquerade as 10 when they all
need to deal with payroll taxes.
On Sun, Mar 31, 2024 at 10:59 AM Michael wrote:
>
> On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
> > (moving this to gentoo-user as this is really getting off-topic for -dev)
>
> Thanks for bringing this to our attention Rich.
>
> Is downgrading to app-arch/xz-utils-5.4.2 all that is
On 3/31/24 07:59, Michael wrote:
On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
(moving this to gentoo-user as this is really getting off-topic for -dev)
Thanks for bringing this to our attention Rich.
Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are
we
On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
> (moving this to gentoo-user as this is really getting off-topic for -dev)
Thanks for bringing this to our attention Rich.
Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are
we meant to rebuilding any other/all
(moving this to gentoo-user as this is really getting off-topic for -dev)
On Sun, Mar 31, 2024 at 7:32 AM stefan1
wrote:
>
> Had I seen someone say that a bad actor would spend years gaining the
> trust of FOSS
> project maintainers in order to gain commit access and introduce such
>
13 matches
Mail list logo