| frickler | big warning to all people running debian sid or fedora 41 https://boehs.org/node/everything-i-know-about-the-xz-backdoor (and also to the community in general I guess) | 07:33 |
|---|---|---|
| fungi | frickler: also opensuse tubmleweed as clark discovered yesterday | 14:27 |
| fungi | but yeah, i've been following the oss-security ml thread from the moment the disclosure came through | 14:29 |
| NeilHanlon | looks like it is even wider than xz ... there's at least some badness in libarchive, too .... https://github.com/libarchive/libarchive/pull/1609#issuecomment-2028125584 | 16:22 |
| fungi | as much doom-n-gloom as is going around about this, i see the rapid identification, response and open dialogue as a major win for open source. these kinds of agent-saboteur developer tactics are relatively commonplace in the proprietary software world, it just doesn't get talked about. it's comparatively harder to pull off in the open, as this incident demonstrates | 16:35 |
| NeilHanlon | fungi: 100% agree. Things have come a **long** way since, say, Heartbleed. | 17:30 |
| fungi | the example i liken it to is the juniper vpn backdoor. a government agent applied for a job there, got themselves onto the dev team responsible for the gateway software, and quietly added a backdoor right under their noses. it got shipped to numerous organizations all over the world and was presumably exploited for years in production, then when it was discovered the company was pressured to | 17:43 |
| fungi | sit on and cover it up | 17:43 |
| fungi | but with commercial software there are even easier ways, e.g. the crypto ag route where a company just gets completely replaced by government agents and ships malware to unwary customers for decades so it can spy on them | 17:49 |
| fungi | or inslaw/promis where a government targets a domestic software product in use for sensitive tasks by other governments, forces it into bankruptcy and hands it over to people who are secretly on their payroll | 17:52 |
| NeilHanlon | yep | 17:59 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!