Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo

[Dale <rdalek1967@gmail.com>]

orbea wrote:
> On Sat, 30 Mar 2024 03:07:13 -0000
> "Eddie Chapman" <eddie@ehuk.net> wrote:
>
>> Given what we've learnt in the last 24hrs about xz utilities, you
>> could forgive a paranoid person for seriously considering getting rid
>> entirely of them from their systems, especially since there are
>> suitable alternatives available.  Some might say that's a bit
>> extreme, xz-utils will get a thorough audit and it will all be fine.
>> But when a malicious actor has been a key maintainer of something as
>> complex as a decompression utility for years, I'm not sure I could
>> ever trust that codebase again. Maybe a complete rewrite will emerge,
>> but I'm personally unwilling to continue using xz utils in the
>> meantime for uncompressing anything on my systems, even if it is done
>> by an unprivileged process.
>>
>> I see that many system package ebuilds unconditionally expect
>> app-arch/xz-utils to be installed simply to be able to decompress the
>> source archive in SRC_URI. So simply specifying -lzma on your system
>> isn't going to get rid of it.
>>
>> No one could have been expected to foresee what's happened with
>> xz-utils, but now that it's here, perhaps Gentoo (and other projects
>> that do) should consider not relying on a single decompression
>> algorithm for source archives, even just as an insurance against some
>> other yet unknown disaster with one algorithm or another in future?
>>
>> And yes I'm sure there will be individual packages that currently
>> absolutely need xz-utils installed during the build process, and one
>> or two that absolutely have to have it available at runtime, but those
>> bridges can be crossed as and when.
>>
>> Eddie
>>
>>
> I think this is an overreaction and we should wait for the dust to
> settle before making drastic disruptive changes.
>
>


From the news item email: 


"Impact
======

Our current understanding of the backdoor is that is does not affect
Gentoo systems, because

1. the backdoor only appears to be included on specific systems and
Gentoo does not qualify;
2. the backdoor as it is currently understood targets OpenSSH patched to
work with systemd-notify support. Gentoo does not support or include
these patches;

Analysis is still ongoing, however, and additional vectors may still be
identified. For this reason we are still issuing this advisory as if
that will be the case."


When I started reading it, I was concerned as well as I know it is used on my system.  However, when I got to the part about it not likely to affect Gentoo, my level of concern dropped significantly.  If this is still true, there's no need to be concerned.  If things has changed and it does affect Gentoo, I'm sure there will be changes made that will either fix the issue for good or at least provide a workaround until a solution is found.  Gentoo has some awesome devs. Someone will find a solution.  I notice that it has already been changed in the tree to a version that does not have the malicious code.  That alone should be a solution until a new plan is made.  

While I'm a little concerned and hope for a proper solution, I'm not to worried.  I certainly don't think we should overreact this early.  Give the devs and upstream time to work this out.  

Just a users opinion.  

Dale 

:-)  :-)