Re: [sage-devel] Re: xz/liblzma has been compromised

On 2024-03-30 07:08:45, Marc Culler wrote: > > Potentially, any tarfile we host may contain an exploit. > > Potentially, any file may contain an exploit. > > This hack specifically targeted ssh. When used by ssh to verify keys, the > hacked liblzma would validate certain invalid keys, allowing

Re: [sage-devel] Re: xz/liblzma has been compromised

According to Hacker News : > openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma. So this hack was not targeting ssh in general, jus

Re: [sage-devel] Re: xz/liblzma has been compromised

> Potentially, any tarfile we host may contain an exploit. Potentially, any file may contain an exploit. This hack specifically targeted ssh. When used by ssh to verify keys, the hacked liblzma would validate certain invalid keys, allowing a "back door" for a particular bad actor to login to

Re: [sage-devel] Re: xz/liblzma has been compromised

On Fri, Mar 29, 2024 at 7:42 PM Dima Pasechnik wrote: > > On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe > wrote: > > > > Workaround with the Sage distribution: "./configure > > --without-system-liblzma --without-system-xz" > > (Our xz package dates back from before the attackers were born;) >

[sage-devel] testing notebooks with pytest --nbval ?

Is anyone testing their Sage Jupyter notebooks with pytest --nbval ? I imagine that for collections of notebooks this can be used to set up CI tests. Dima -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop rec