Re: xz backdoor

2024-04-02 Thread Ryan Prior
On Tuesday, April 2nd, 2024 at 3:23 AM, Attila Lendvai wrote: > https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439 > > ...and its author actively defends this situation. Yikes. This sounds like a great reason to fork. The author can prefer

Re: xz backdoor

2024-04-02 Thread adanskana
Hi all, On Tue, Apr 2 2024 at 08:23:40 AM +, Attila Lendvai wrote: There's actually suspicious code by the xz attacker in one of our packages right now: Please help review that patch! as for gpaste (one of the dependees of libarchive):

Re: xz backdoor

2024-04-02 Thread Attila Lendvai
> There's actually suspicious code by the xz attacker in one of our > packages right now: > > https://issues.guix.gnu.org/issue/70113 > > Please help review that patch! as for gpaste (one of the dependees of libarchive): it doesn't build since the recent gnome merge. i've filed a patch for

Re: xz backdoor

2024-04-01 Thread Leo Famulari
On Mon, Apr 01, 2024 at 09:46:12PM +0200, Reza Housseini wrote: > Just stumbled upon this recently discovered supply chain attack on xz, > inserting a backdoor via test files [1, 2]. And it made me wondering, what > would have been the effects on guix and how can we potentially avoid it? There's

Re: xz backdoor

2024-04-01 Thread Attila Lendvai
> The quick summary is that Guix currently shouldn't be affected > because a) Guix currently packages xz 5.2.8, which predates the > backdoor, and b) the backdoor includes checks based on absolute > paths e.g. under /usr and Guix executable paths generally don't > match the patterns checked for.

Re: xz backdoor

2024-04-01 Thread jbranso
April 1, 2024 at 3:46 PM, "Reza Housseini" wrote: > > Hi Guixers > > Just stumbled upon this recently discovered supply chain attack on xz, > > inserting a backdoor via test files [1, 2]. And it made me wondering, > > what would have been the effects on guix and how can we potentially >

Re: xz backdoor

2024-04-01 Thread Kaelyn
s on guix and how can we potentially > avoid it? Thank you for your email about the xz backdoor! To hopefully help with your questions, there has already been some discussion on guix-devel about the backdoor and how it should be handled now and in the future: https://lists.gnu.org/archive

xz backdoor

2024-04-01 Thread Reza Housseini
Hi Guixers Just stumbled upon this recently discovered supply chain attack on xz, inserting a backdoor via test files [1, 2]. And it made me wondering, what would have been the effects on guix and how can we potentially avoid it? Stay safe! Reza [1]