|
|
Subscribe / Log in / New account

A backdoor in xz

A backdoor in xz

Posted Mar 29, 2024 18:08 UTC (Fri) by AdamW (subscriber, #48457)
In reply to: A backdoor in xz by bluca
Parent article: A backdoor in xz

Or were we so lucky the last time it happened?

to post comments

A backdoor in xz

Posted Mar 29, 2024 18:16 UTC (Fri) by alex (subscriber, #1355) [Link] (5 responses)

It would be hubris to assume this is the first or only attempt to subvert an upstream so far.

A backdoor in xz

Posted Mar 30, 2024 4:26 UTC (Sat) by marcH (subscriber, #57642) [Link] (3 responses)

Also, don't forget to blame the messenger when there is one: https://lwn.net/Articles/853717/

A backdoor in xz

Posted Mar 30, 2024 6:07 UTC (Sat) by ssmith32 (subscriber, #72404) [Link] (2 responses)

There's being a messenger, and then there's wasting maintainer time trying to get a paper written about something everyone knows is a problem[1] by failing to get malicious code past them. Which, of course, just contributes to the overall problem of overworked maintainers that is the real root cause of the issue being covered above [2].

So, yeah excluding people from the community that are more interested in their own academic careers rather than genuinely helping - that's not "shooting the messenger".

[1]https://m.youtube.com/watch?v=fu8ZNRDQsi8&t=6771s
[2]https://www.mail-archive.com/xz-devel@tukaani.org/msg0057...

A backdoor in xz

Posted Mar 30, 2024 14:37 UTC (Sat) by marcH (subscriber, #57642) [Link] (1 responses)

There's nothing wrong with excluding the offenders. There's everything wrong about whining and talking so much about them while saying so little about the actual issue.

A backdoor in xz

Posted Mar 30, 2024 14:41 UTC (Sat) by marcH (subscriber, #57642) [Link]

... and yes, maintainers are exhausted but no, that's not the only explanation.

A backdoor in xz

Posted Mar 30, 2024 11:27 UTC (Sat) by jd (guest, #26381) [Link]

We know it isn't the first. A group of researchers tried to submit exploit-ridden code to the Linux kernel, for example.

There are also packages that have been modified to not work in certain countries, and one Python package got effectively yeeted by the primary maintainer over politics.

And it's reasonable to assume that we only know a small percentage of cases.

Closed source is unlikely to be better. It would seem to me that quite a number of exploits that get discovered seem to be very bizarre backdoors.

If we generalise to all malicious code, then the Sony Rootkit is probably the most notorious.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds