From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-101500-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 108AF158041
	for <garchives@archives.gentoo.org>; Sun, 31 Mar 2024 11:14:02 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D86372BC016;
	Sun, 31 Mar 2024 11:13:56 +0000 (UTC)
Received: from james.steelbluetech.co.uk (james.steelbluetech.co.uk [78.40.151.100])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 802042BC013
	for <gentoo-dev@lists.gentoo.org>; Sun, 31 Mar 2024 11:13:55 +0000 (UTC)
Received: from ukinbox.ecrypt.net (hq2.ehuk.net [10.0.10.2])
	by james.steelbluetech.co.uk (Postfix) with ESMTP id 0DF44BFC18
	for <gentoo-dev@lists.gentoo.org>; Sun, 31 Mar 2024 12:13:54 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.10.3 james.steelbluetech.co.uk 0DF44BFC18
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ehuk.net; s=default;
	t=1711883634; bh=t1wuXFWS2HqZCvibn4kikCJ3hQ2K5lBl+1X2BSPlRtA=;
	h=In-Reply-To:References:Date:Subject:From:To:Reply-To:From;
	b=QQBbV/nMH2JprxofBg2/AHuHS8ONss3WJgoh7IBrPkNbjM9sfSW9fBkhyw1t7vgb/
	 QScDMABmtwqyeWODJfGEwsaMailihjBFI7QTYraBIxKWC1M98oIThoWYdV4P7Zb5D1
	 hzyHlx2TnoWtCgBh1uGaUrMlhu+rBAb/lUcLM28bq5K5B7fjRWhLnhxWmkjBSIzum5
	 00N/jRx4H2r0sbHXYwRYOIzub5IiDTKE/0eWARDsjkEkzGpBQzVyHuFGVYQd8bRrex
	 IhYyy/gbBWjtfDEGDVGLmzDNwg4LbHiGiG0cL7PRiftruoGXbzBO8/uLw0RjDYjKGa
	 vIFqCBF6RShfg==
Message-ID: <42575b278b15f667e08084b83de0d7af.squirrel@ukinbox.ecrypt.net>
In-Reply-To: <bea7dbcb-8659-43fe-b90c-e8d8b93c52ce@gmail.com>
References: <a2e3bb067a078bffaa860bdf5e11977d.squirrel@ukinbox.ecrypt.net>
    <bea7dbcb-8659-43fe-b90c-e8d8b93c52ce@gmail.com>
Date: Sun, 31 Mar 2024 12:13:54 +0100
Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo
From: "Eddie Chapman" <eddie@ehuk.net>
To: gentoo-dev@lists.gentoo.org
User-Agent: SquirrelMail/1.5.2 [SVN]
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang
X-Archives-Salt: 7557ab65-4fdd-4499-8d56-cefd9c4f5269
X-Archives-Hash: e2c0530dc1fbf7ca7b8ab8f649056488

Eli Schwartz wrote:
> On 3/29/24 11:07 PM, Eddie Chapman wrote:
>
>> Given what we've learnt in the last 24hrs about xz utilities, you could
>>  forgive a paranoid person for seriously considering getting rid
>> entirely of them from their systems, especially since there are suitable
>>  alternatives available.  Some might say that's a bit extreme, xz-utils
>>  will get a thorough audit and it will all be fine. But when a
>> malicious actor has been a key maintainer of something as complex as a
>> decompression utility for years, I'm not sure I could ever trust that
>> codebase again. Maybe a complete rewrite will emerge, but I'm personally
>> unwilling to continue using xz utils in the meantime for uncompressing
>> anything on my systems, even if it is done by an unprivileged process.
>
>
> It suffices to downgrade to the version of xz before a social
> engineering attack by a malicious actor to gain maintainership of the xz
> project.
>
> Have you been linked to this yet?
> https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html
>
> --
> Eli Schwartz
>

Yes I saw that yesterday. It only increased my level of concern about the
project ten-fold rather than decreased it, particularly because of "he has
been helping a lot off-list and is practically a co-maintainer already".
It's not possible to just downgrade to before the bad actor's commits and
then feel fine about things because they have been heavily involved
offline even before commit access. We'll never know how much and when
because I also cannot trust what the apparently innocent maintainer (who
is most likely a victim here as well) might say about that now. Not
because of anything about them (I don't know them or anything about them),
just because of what has happened, there is too much of an incentive for
that person to now downplay the involvement of the bad actor.  I'm sorry
if that may seem harsh but, in my view, this situation is so severe it
warrants it. The world is facing threats from very sophisticated and
capable bad actors, mostly criminal organisations. If people here want to
run systems that are actually secure and also have other people trust
their stewardship, then things need to be taken seriously and high
standards need to be maintained. Especially where it is a tool that is not
super essential (it has just become heavily entrenched) and where there
are great alternatives, there should be no hesitancy to jettison a project
that has been infiltrated to such an extent as we have seen here (this is
far beyond just some devs workstation got compromised and there was a few
bad commits made it into the repo). At the moment there is far too much of
a cavalier attitude about the whole thing being shown by too many,
including here I'm sad to see.