|
|
Subscribe / Log in / New account

A backdoor in xz

A backdoor in xz

Posted Mar 30, 2024 1:52 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
In reply to: A backdoor in xz by jengelh
Parent article: A backdoor in xz

> When people stop using curated tarballs, developers will just add generated files into the SCM.

Most of the autogenerated files are autohell-related scripts. Honestly, if you still depend on it, you can install the required dependencies and run autogen.sh yourself on the build host. It's not 1994 anymore.

The SCM management for Bash is atrocious. We just need to switch away from it to something like zsh by default. At this point in time, doing large code drops for something as critical as Bash is just bordering on malpractice.

And relying on autohell for builds _is_ malpractice.

to post comments

A backdoor in xz

Posted Mar 30, 2024 10:08 UTC (Sat) by nim-nim (subscriber, #34454) [Link] (1 responses)

The build scene is unfortunately ripe for exploits because mainstream tools are old and crufty and the FAANGS, GitHubs and GNOMEs of the world only care about giant monorepos and static builds and vendoring and containers & flatpacks which all basically mean pile up as much code as you can to avoid any dev porting effort and someone else (never defined) will somehow manage to audit the giant pile of stuff and detect malware.

Safe practices are well known that’s small auditable reusable components, that build from signed archives with no third party altered code dropped in, and frugal acyclic dependency graphs but that‘s exactly the reverse of where we’ve been doing those past years. Devs understand code modularity not build modularity.

The pile of junk has been avoiding any catastrophic collapse so far (apart from the log4j episode with every one else pretending it’s java-specific while replicating the very same build workflows) but that’s only a question of time.

A backdoor in xz

Posted Mar 30, 2024 15:09 UTC (Sat) by marcH (subscriber, #57642) [Link]

> The pile of junk has been avoiding any catastrophic collapse so far ...

Has it? With spies the main thing we know is: we know very little.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds