From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9078C158041 for ; Sat, 30 Mar 2024 07:06:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CDB03E2AC8; Sat, 30 Mar 2024 07:06:29 +0000 (UTC) Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8F6F5E2AB3 for ; Sat, 30 Mar 2024 07:06:29 +0000 (UTC) Received: by mail-ot1-x329.google.com with SMTP id 46e09a7af769-6e6ce0702c3so1228066a34.0 for ; Sat, 30 Mar 2024 00:06:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711782388; x=1712387188; darn=lists.gentoo.org; h=content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:to:subject:from:to:cc:subject :date:message-id:reply-to; bh=KoPq3Xu13e+PvHXrwBMKFIGJ7muGr7D0lrLK1kF0bEI=; b=ZNR2LhVgeAdXepfg0tdSqT6pm2qAoEW0kdwjD7Z76sfaiIP3MHkJbOdv/wGhfLZZpD O4T7KEjCROSX+V1YL9jJ1PR+FLlzKW7cbTEhTQXPmb7lN8+HoXn4GTFZDtHsSv1Zdgav qyqIbJ5/BPSjdqnulnp1ETWFXFS2I2Rh0jeZ45JOXOVkwpHF4EuchXQtYZi2S/i2dvkw pM7+K0bCFF5yZHt06VxdgthzK8h6TJhfic6aniW3acGwgLQjekxKPF4nFzZcEhGWksHE o+Aq/sbCV5LSWMKRtiumi/gCD9o15KhW4RpE6JiJqcxmF31upiMoQljaW2UHSk1krUrA 3n5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711782388; x=1712387188; h=content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:to:subject:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KoPq3Xu13e+PvHXrwBMKFIGJ7muGr7D0lrLK1kF0bEI=; b=MyfVzzAOoIW5Yr6F/AYIGfsU7GWU0uTZP3uZtQyilkGq/uxleZ3krLXLN4TqzUGjdg Pau97F25TnnqFyr3XIwKYFMZBptXJG2WVjTry+I3UNtgbqBZx2J8X776LJoY5fa1hye4 51vF3mRvcU3KjBJyDMCSuInHW0FZcT2m7qyJ14p7ydYlx5RopyvbZbDIgap6/vYV3hU6 ClhWAw2bV6F59XvBWJlkdwZvs+zAJnNCC+jHapJb3bFrBtBPjtBrbWLQb0/pocINcoX1 +RLfwCdxyYtSxnmVBHfKjgDraCfrNDDqLBzGOMzczn0Q9JG9+qM2rr2WO0V9CSNVwUWJ O8Ow== X-Gm-Message-State: AOJu0Yz+vYpMRHbU1i48bCs2W8Dyjsi+9Z1QKdZ1SzeU/VkReWQf8H00 gyusQ/kN4Cr4/KJFT8VC5L+ZaUeyT5SYxuozaNy+gcB+lbEwXD1/ X-Google-Smtp-Source: AGHT+IH4szWKPh9CmyxmHhR7OpS1YTIhegRF1XY8DYt2JA1bvntGMecYyda1uIAztGoZgdhAsKHdRA== X-Received: by 2002:a05:6830:1697:b0:6e5:21ea:2249 with SMTP id k23-20020a056830169700b006e521ea2249mr4413128otr.6.1711782388544; Sat, 30 Mar 2024 00:06:28 -0700 (PDT) Received: from [10.8.8.4] ([37.19.221.89]) by smtp.gmail.com with ESMTPSA id k16-20020a9d7dd0000000b006e695048ad8sm975577otn.66.2024.03.30.00.06.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 30 Mar 2024 00:06:28 -0700 (PDT) Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo To: gentoo-dev@lists.gentoo.org References: <20240329204315.3b29449b@Akita> From: Dale Autocrypt: addr=rdalek1967@gmail.com; prefer-encrypt=mutual; keydata= mQINBGFSciYBEADcEGMyJBSuavKO/XKUVvgkxck7Nl8Iuu8N2lcnRji/rSKg5c1Acix1ll9i oW8JBCHwvn0+Xy60BvEsqcup3YSHw5STl/bR1ePEehtnYrg8FdjdS91+B805RfnKMm69rFVI wLSBHQrSG1yxHd8CloWoEdhmVtP24buajbh114bgXd9ahtpZrCVMrWdWYUg2mEXguGV5uNAh Rf8SWxDNc79w24JxsV34a8niMUYMjzWr0rafIbzk732X38vGjVMLo/2mMpkbp9mPp++LHoY+ 0Pet8zxxdXPJSCd475kza1AD+hhSyBZXB9yknYWgyY3cZe1rGmooJSi2KX4QxO7npwLThcO1 be6KKRkd35+Fi/a1BzVOHsZMiK/gcwxEFoMd27gir4ehaeHJfFXl+65w4hj0EsOZSxrJrm2C R50g5By2czSKP1bADEygFNpIJj51AR+wM88NImG2RPtlT2maYBzazvF05g65cdHXGp1C7W5P wwwKU2DgABB2t7N7z5A69LnryBRw4zUYDRRYLTYlBlYgg+xILm2c0OrBdxJgLJa7JE50Eo25 d3PFwt9J0gYvqy6sPFLl9So0sDg9zm0hKQtXOP5kgropUFGrNoJI+mjwF4rYLRBVzZwNAvlO OhEvHubBo3mEllv4x+FeptwXZxlk7gUsdqI8AxnFB8K9wi6FVQARAQABtBtEYWxlIDxyZGFs ZWsxOTY3QGdtYWlsLmNvbT6JAk4EEwEIADgCGyMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW IQQSG1h01ruv/WNXc3Q3RqOgiQH1GwUCYVJy8gAKCRA3RqOgiQH1G+waEACeTZCt77jnRAmQ AV7otKuZekDWiLi3Eig8tj5ZJiCNSYA/hIxzmexRP0GMqjitcXK1iGwWcvMzzvIq30GAjIfB 4BR38cnXbtBa6fNewiT7QaZe/Hn6yBRldXNQypzbHy+/o27bUEy+oX4rE7etUgEHQAjuw7xz XFWg4tH1/KJvsOVY5upnWc5LdxYhsuQ3dQD4b22GsK0pOBDfb9PiirYM8eGKvrVuq4E/c75z lDDFhINl18lNZ9D0ZFL3IkTjHsAAqFH9uhnnEB8CWdHbBewPEfRaOhBUYWZ3Q8uTkmDgZT8q D9jlvLEdw7Nh2ApdxoepnI/4D+ql2Gr4DtH7SEPydr5gcf1Qr/2bXRb1hAYnIVcbncs/Bm3Z bkRKPVWMfE3Fusa+p5hMzixk0YysMaTHlc7mYRYAEZGnPMXnmcCbetwARU7A0yz1M1kCMOAQ Lsz8KH5kv3cRenMB6SFfjND2JfAK61H5TtnPq3L8noS2ZykRYxq9Nm3X64O1tJojIKBoZFr8 AwYNCvqC6puUyGMuzHPh7jPof8glfrrEKIYUvNPGMDoVX3IGetxh/9l6NcxgFA4JGoR+LS3C zmeNrwlllAe3OEUfKoWVQ+pagpSdM+8hHolaSda4Ys66Z3fCR4ZvcTqfhTAVskpqdXa4isAk 7vTcXu3L499ttywEp7rJTbkCDQRhUnImARAAncUdVhmtRr59zqpTUppKroQYlzR0jv8oa7DG K4gakTAT2N7evnI9wpssmzyVk8VEiLzhnFQ/Ol3FRt6hZCXDJt0clyHOyTfvz/MNFttWuZTc mLpSvmRR6VRjAH+Tz3Eam2xUw3PGuH97BcXQ3NnX3msv1UDxtxxBu6e2YrdeOhrCUSgzokcJ 98ChUNy934cgepPybAI12lSWqVFQ1aG7jExZfiUk+333fPSDbpKoZbTW5YJLXbycmW/C1IWL qYQyNjRWKaGoJtUWFhhmNiOQct7n90aKivNVPavmN+UQ9LlMaINtf9T6XCzLfogCFsulDCDJ 0yNQLDTurHaB4E71xoctgXmLLq9z1RQ0W2XiVAAOZQj6K3+d0AOUjDhCQ2QW8dUSq0ckkZXV DKVJOGS8Nhf2eIWIqRnP3AcUiiaiFGqUaVUmUAZ6h/oJmgghEu/1S+pcuUKU5i69+XCZ3hH2 Jzwzbf7K+FAIkOhCfHncF8i1N1pk00pOVykNnqHTfFo3qFusHt0ZWgXVnnn4pYdXqZNoDhvF BRE5Vm4k/k96Pw8HRx6Os6eFSRrlqGzRgqsu86FekxusXB9UGv4lJhtU/J+8MRWsh22K718s DbQnABicGKFz1qQlWvcf59oTByhLINJCBt1WXl+TzJDXepr3QSkqmK41dO9Hob97C9dMiK8A EQEAAYkCNgQYAQgAIAIbDBYhBBIbWHTWu6/9Y1dzdDdGo6CJAfUbBQJhUnLyAAoJEDdGo6CJ AfUbVHIQAKSWw620vPhR3A/njU2z77F3z/Jk+HTKdE3fIyWSWdkYN7CBFL0NguOMP30WZ+qE sJhZu7T5hf251MwQUUt27xlfnKYOmQs7CqONlXuXlGZI6WufrUjxNcVz+5gJsqvUWuuJWsgg sDmE92IBnfG/f81fPHWQyfr/SF4wYDMyoFp5xCCQpp1zB63iuFvvrhxBkEHzmbRtVDOhl0Xp BVEDR1w3QRACw9QJD/KM05Czv9JNQYlwinWO/OaQ9cMlUpKLgswUPg9IZ5vucxScfuAUA5uC B1jlAQ8ZPlVukBmbEv5RGOv+lpuEbA3YDMVtEeH4YMFbjt/+vH3Cr2vTbp5JlpByLburJEH0 WXZLUawEfUsZvVwpOuJK75vaa2HYXee+Cb3iCIzwfIfctdlqzUcbGRczlRNM59hpvj4z29Gh 3kAxVHItAYq54ikxQ9l4hQ8s9sLYPbX/WtcBxNX8crBSw0FLnmzGleVEtBHyqtt5CLzQNgrj GYWl1vKDUmRPw1CdZ1c+fMN9CY11jOM5B5ZnqZWfDeVYO2iJ5SuvTycChexCb8WYn1bdCBIo bBtga2RBXbVt4Mh9E4owsszefn51MwfjXxB20Fc5k3GU1AVpTCMs3ayYCzo0b2pvEvdjtDcA CYLEFPWgaFX9iQAM/CDfKvTtvgGWpqtCL2raq/mQoJEU Message-ID: <1671d927-55d5-6f01-2b54-b33981406945@gmail.com> Date: Sat, 30 Mar 2024 02:06:26 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 SeaMonkey/2.53.18.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <20240329204315.3b29449b@Akita> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: cf6f8b53-4559-458f-a187-ee12adf56c85 X-Archives-Hash: a1abf2fdf6789721c9039b558828c6fe orbea wrote: > On Sat, 30 Mar 2024 03:07:13 -0000 > "Eddie Chapman" wrote: > >> Given what we've learnt in the last 24hrs about xz utilities, you >> could forgive a paranoid person for seriously considering getting rid >> entirely of them from their systems, especially since there are >> suitable alternatives available. Some might say that's a bit >> extreme, xz-utils will get a thorough audit and it will all be fine. >> But when a malicious actor has been a key maintainer of something as >> complex as a decompression utility for years, I'm not sure I could >> ever trust that codebase again. Maybe a complete rewrite will emerge, >> but I'm personally unwilling to continue using xz utils in the >> meantime for uncompressing anything on my systems, even if it is done >> by an unprivileged process. >> >> I see that many system package ebuilds unconditionally expect >> app-arch/xz-utils to be installed simply to be able to decompress the >> source archive in SRC_URI. So simply specifying -lzma on your system >> isn't going to get rid of it. >> >> No one could have been expected to foresee what's happened with >> xz-utils, but now that it's here, perhaps Gentoo (and other projects >> that do) should consider not relying on a single decompression >> algorithm for source archives, even just as an insurance against some >> other yet unknown disaster with one algorithm or another in future? >> >> And yes I'm sure there will be individual packages that currently >> absolutely need xz-utils installed during the build process, and one >> or two that absolutely have to have it available at runtime, but those >> bridges can be crossed as and when. >> >> Eddie >> >> > I think this is an overreaction and we should wait for the dust to > settle before making drastic disruptive changes. > > >From the news item email:  "Impact ====== Our current understanding of the backdoor is that is does not affect Gentoo systems, because 1. the backdoor only appears to be included on specific systems and Gentoo does not qualify; 2. the backdoor as it is currently understood targets OpenSSH patched to work with systemd-notify support. Gentoo does not support or include these patches; Analysis is still ongoing, however, and additional vectors may still be identified. For this reason we are still issuing this advisory as if that will be the case." When I started reading it, I was concerned as well as I know it is used on my system. However, when I got to the part about it not likely to affect Gentoo, my level of concern dropped significantly. If this is still true, there's no need to be concerned. If things has changed and it does affect Gentoo, I'm sure there will be changes made that will either fix the issue for good or at least provide a workaround until a solution is found. Gentoo has some awesome devs. Someone will find a solution. I notice that it has already been changed in the tree to a version that does not have the malicious code. That alone should be a solution until a new plan is made. While I'm a little concerned and hope for a proper solution, I'm not to worried. I certainly don't think we should overreact this early. Give the devs and upstream time to work this out. Just a users opinion. Dale :-) :-)