Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo

["Eddie Chapman" <eddie@ehuk.net>]

Rich Freeman wrote:
> On Sat, Mar 30, 2024 at 10:57 AM Eddie Chapman <eddie@ehuk.net> wrote:
>
>> No, this is the the bad actor *themselves* being a
>> principal author of the software, working stealthily and in very
>> sophisticated ways for years, to manoeuvrer themselves and their
>> software into a position of trust in the ecosystem whereby they were
>> almost able to pull off the mother of all security nightmares for the
>> world.
>
> This is entirely speculative at this point.  It isn't certain that the
> author is the one behind the exploit, and if they were, it is not known for
> how long their intentions were malicious, or even what their motivations
> were.  It is also unclear what pseudonymous accounts with what projects
> are associated with the attacker.

For the purposes of this discussion I'm not speculating nor interested in
*who* is behind this, or whether or whoever committed commits was a victim
of account takeover. Certain key actions that have been taken over time by
whoever is/was behind this do not require any speculation, they speak for
themselves, and are clearly malicious. There is no need to wait for
anything more to be revealed to be able to plainly see how bad it is.

While we wait and see, huge numbers of people might be suffering real and
serious consequences of continued use of xz-utils. The consequences may be
completely hidden, if you go by how well the bad actor here has managed to
hide what they have done. If you are following developments you can see
right now with your own eyes how incredibly difficult it is for our
smartest people to unravel and pick through what this actor has done. To
have faith that everything malicious that the perpetrator has done will be
unravelled over time by our collective smart minds by going over the
codebase with a fine tooth-comb puts far too much faith in human beings
and takes unnecessary risks for something that is not worth that risk when
there are alternatives. If you were looking for a compression tool for a
new project, why would anyone sane take such risks for such little gain?
You just wouldn't. Of course the reason there is hesitancy is because xz
has become so deeply entrenched in our world, it's become almost too hard
to extrapolate ourselves from it. I dare say the attacker realised this
and probably sought to take advantage of that fact.

However, I do acknowledge and realise the significant practical
difficulties that would be involved in making xz-utils something optional
within Gentoo.