From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0EAF9158041 for ; Sat, 30 Mar 2024 17:19:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E626AE2A50; Sat, 30 Mar 2024 17:19:37 +0000 (UTC) Received: from james.steelbluetech.co.uk (james.steelbluetech.co.uk [78.40.151.100]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 83499E2A36 for ; Sat, 30 Mar 2024 17:19:36 +0000 (UTC) Received: from ukinbox.ecrypt.net (hq2.ehuk.net [10.0.10.2]) by james.steelbluetech.co.uk (Postfix) with ESMTP id 8B2F1BFC18 for ; Sat, 30 Mar 2024 17:19:35 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.10.3 james.steelbluetech.co.uk 8B2F1BFC18 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ehuk.net; s=default; t=1711819175; bh=Rx23wdIWZGRothdcjpyrYqSZPrYPcmAHyW7dYJ/PXUk=; h=Date:Subject:From:To:Reply-To:References:In-Reply-To:From; b=yFnOJBJS3TjBenxLrL337SWtde58VYHTbNU+Fyh7DRxMaj32gUoJ4bpSbPk4BDolm zCd5TuZfQlmzkEE38pxPNLvWXhim642YrvUfyO9CbqYJqkWMWG9w4Anydjg7tFHp8l 4MpAh20eTaDtSRlEZd2ZUbI/hoGmCY0TV8qaTgG/4GejcmpdAQPNJqVwa8RlUDIlSF MqDzAhknChNBxCAlw0Q5KHfjT2XVnS71a18TnEKivvlAmzYa+FjFUMjZURYZjtpBfM pE/J1hGMBkQ9uW9DPtxbkNVS0m3Kx68T+89vN2do4vq8hNkA17lD3+67NpcpLOVJHP Hv7VwT3abOzQQ== Message-ID: Date: Sat, 30 Mar 2024 17:19:35 -0000 Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo From: "Eddie Chapman" To: gentoo-dev@lists.gentoo.org User-Agent: SquirrelMail/1.5.2 [SVN] Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit References: <20240329204315.3b29449b@Akita> <1671d927-55d5-6f01-2b54-b33981406945@gmail.com> In-Reply-To: X-Scanned-By: MIMEDefang X-Archives-Salt: 3aef2c2a-b8db-4f49-81b2-5c84e986196e X-Archives-Hash: d91c8b5c1bf0a4cd7550d4cb0571a6a7 Rich Freeman wrote: > On Sat, Mar 30, 2024 at 10:57 AM Eddie Chapman wrote: > >> No, this is the the bad actor *themselves* being a >> principal author of the software, working stealthily and in very >> sophisticated ways for years, to manoeuvrer themselves and their >> software into a position of trust in the ecosystem whereby they were >> almost able to pull off the mother of all security nightmares for the >> world. > > This is entirely speculative at this point. It isn't certain that the > author is the one behind the exploit, and if they were, it is not known for > how long their intentions were malicious, or even what their motivations > were. It is also unclear what pseudonymous accounts with what projects > are associated with the attacker. For the purposes of this discussion I'm not speculating nor interested in *who* is behind this, or whether or whoever committed commits was a victim of account takeover. Certain key actions that have been taken over time by whoever is/was behind this do not require any speculation, they speak for themselves, and are clearly malicious. There is no need to wait for anything more to be revealed to be able to plainly see how bad it is. While we wait and see, huge numbers of people might be suffering real and serious consequences of continued use of xz-utils. The consequences may be completely hidden, if you go by how well the bad actor here has managed to hide what they have done. If you are following developments you can see right now with your own eyes how incredibly difficult it is for our smartest people to unravel and pick through what this actor has done. To have faith that everything malicious that the perpetrator has done will be unravelled over time by our collective smart minds by going over the codebase with a fine tooth-comb puts far too much faith in human beings and takes unnecessary risks for something that is not worth that risk when there are alternatives. If you were looking for a compression tool for a new project, why would anyone sane take such risks for such little gain? You just wouldn't. Of course the reason there is hesitancy is because xz has become so deeply entrenched in our world, it's become almost too hard to extrapolate ourselves from it. I dare say the attacker realised this and probably sought to take advantage of that fact. However, I do acknowledge and realise the significant practical difficulties that would be involved in making xz-utils something optional within Gentoo.