- cross-posted to:
- linux@lemmy.ml
- cross-posted to:
- linux@lemmy.ml
Related discussion:
https://news.ycombinator.com/item?id=39865810
https://news.ycombinator.com/item?id=39877267
Advisories:
Related discussion:
https://news.ycombinator.com/item?id=39865810
https://news.ycombinator.com/item?id=39877267
Advisories:
Man, there is a lot of concerning stuff there.
In particular, one person commented that the original xz maintainer was possibly subjected to a pressure campaign to hand over maintainership.
I don’t know how many open-source project maintainers would be on guard for something that subtle, people coordinating to take over maintainership of a project.
I mean, xz isn’t normally something you’d immediately think of as security-critical. I doubt that a maintainer knows or thinks about about all the potential downstream dependencies (in this case, not even a standard sshd depedendency, but one that came up because of a patch that Debian used to add some systemd functionality).
EDIT:
On second thought, it actually is, given that Debian packages are xz-compressed.
Wow
And for a state sponsored attacker is cheaper to bribe (or threaten to kill, even cheaper) the single developer to add a backdoor than all the research to find a zero day