From: stefan11111 <stefan11111@shitposting.expert>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo
Date: Sun, 31 Mar 2024 11:32:14 +0000 [thread overview]
Message-ID: <f41893920d7bd6dde5ae8665c4603b63@shitposting.expert> (raw)
In-Reply-To: <bea7dbcb-8659-43fe-b90c-e8d8b93c52ce@gmail.com>
On 2024-03-31 01:33, Eli Schwartz wrote:
> On 3/29/24 11:07 PM, Eddie Chapman wrote:
>> Given what we've learnt in the last 24hrs about xz utilities, you
>> could
>> forgive a paranoid person for seriously considering getting rid
>> entirely
>> of them from their systems, especially since there are suitable
>> alternatives available. Some might say that's a bit extreme, xz-utils
>> will get a thorough audit and it will all be fine. But when a
>> malicious
>> actor has been a key maintainer of something as complex as a
>> decompression
>> utility for years, I'm not sure I could ever trust that codebase
>> again.
>> Maybe a complete rewrite will emerge, but I'm personally unwilling to
>> continue using xz utils in the meantime for uncompressing anything on
>> my
>> systems, even if it is done by an unprivileged process.
>
>
> It suffices to downgrade to the version of xz before a social
> engineering attack by a malicious actor to gain maintainership of the
> xz
> project.
>
> Have you been linked to this yet?
> https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html
> Wed, 29 Jun 2022 13:07:07 -0700
This is 2 years ago.
Had I seen someone say that a bad actor would spend years gaining the
trust of FOSS
project maintainers in order to gain commit access and introduce such
sophisticated
back doors, I would have told them to take their meds.
This is insane.
Not even this seems impossible anymore:
https://01.me/en/2014/11/insert-backdoor-into-compiler/
If this happened to something like firefox, I don't think anyone would
have found out.
No one bats an eye if a website loads 0.5s longer.
--
Linux-gentoo-x86_64-Intel-R-_Core-TM-_i5-7400_CPU_@_3.00GHz
COMMON_FLAGS="-O3 -pipe -march=native -fno-stack-protector
-ftree-vectorize -ffast-math -funswitch-loops -fuse-linker-plugin -flto
-fdevirtualize-at-ltrans -fno-plt -fno-semantic-interposition
-falign-functions=64 -fgraphite-identity -floop-nest-optimize"
USE="-* git verify-sig rsync-verify man alsa X grub ssl ipv6 lto
libressl olde-gentoo asm native-symlinks threads jit jumbo-build minimal
strip system-man"
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd
/usr/lib/modules-load.d /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus
/lib/udev /usr/share/icons /usr/share/applications
/usr/share/gtk-3.0/emoji"
next prev parent reply other threads:[~2024-03-31 11:32 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-30 3:07 [gentoo-dev] Current unavoidable use of xz utils in Gentoo Eddie Chapman
2024-03-30 3:43 ` orbea
2024-03-30 7:06 ` Dale
2024-03-30 10:47 ` [gentoo-dev] " Duncan
2024-03-30 11:32 ` [gentoo-dev] " Rich Freeman
2024-03-30 14:57 ` Eddie Chapman
2024-03-30 15:02 ` Michał Górny
2024-03-30 15:17 ` Eddie Chapman
2024-03-30 15:29 ` Michał Górny
2024-03-30 15:59 ` Eddie Chapman
2024-03-30 16:07 ` Dale
2024-03-30 17:13 ` Re[2]: " Stefan Schmiedl
2024-03-30 17:36 ` Eddie Chapman
2024-03-31 1:41 ` Thomas Gall
2024-03-30 23:49 ` Eddie Chapman
2024-03-31 1:36 ` Eli Schwartz
2024-03-30 15:23 ` orbea
2024-03-30 15:14 ` Rich Freeman
2024-03-30 17:19 ` Eddie Chapman
2024-03-31 1:25 ` Sam James
2024-03-31 1:33 ` Eli Schwartz
2024-03-31 11:13 ` Eddie Chapman
2024-03-31 11:59 ` Matt Jolly
2024-04-01 7:57 ` Eddie Chapman
2024-04-01 14:50 ` Eli Schwartz
2024-04-02 8:43 ` Eddie Chapman
2024-04-02 19:46 ` Eli Schwartz
2024-04-02 20:19 ` Eddie Chapman
2024-04-01 14:55 ` Michał Górny
2024-04-02 9:02 ` Eddie Chapman
2024-04-01 15:14 ` Kenton Groombridge
2024-04-01 15:40 ` orbea
2024-04-01 16:01 ` Kenton Groombridge
2024-04-01 16:21 ` orbea
2024-04-01 18:51 ` Kévin GASPARD DE RENEFORT
2024-04-01 20:07 ` James Le Cuirot
2024-04-02 6:32 ` Joonas Niilola
2024-03-31 11:32 ` stefan11111 [this message]
2024-04-01 14:56 ` Azamat Hackimov
2024-04-02 19:32 ` Eddie Chapman
2024-04-03 11:47 ` [gentoo-dev] " Duncan
2024-04-03 12:14 ` Sam James
2024-04-03 15:30 ` [gentoo-dev] " Eddie Chapman
2024-04-03 16:40 ` Michael Orlitzky
2024-04-04 3:20 ` [gentoo-dev] " Duncan
2024-04-04 3:49 ` [gentoo-dev] " Eli Schwartz
2024-04-04 8:32 ` Sam James
2024-04-04 8:34 ` Kévin GASPARD DE RENEFORT
2024-04-04 14:38 ` Eddie Chapman
2024-04-04 14:24 ` Eddie Chapman
2024-04-06 11:57 ` Eddie Chapman
2024-04-06 12:15 ` Ulrich Mueller
2024-04-06 12:34 ` Roy Bamford
2024-04-06 14:04 ` Fabian Groffen
2024-04-07 6:44 ` Eddie Chapman
2024-04-06 16:15 ` Sam James
2024-04-07 11:24 ` Eddie Chapman
2024-04-11 5:21 ` Joonas Niilola
2024-04-12 7:18 ` [gentoo-dev] " Duncan
2024-04-13 7:10 ` [gentoo-dev] " Eddie Chapman
2024-04-03 12:22 ` [gentoo-dev] " Kévin GASPARD DE RENEFORT
2024-04-03 12:26 ` Kévin GASPARD DE RENEFORT
2024-04-04 1:41 ` Duncan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f41893920d7bd6dde5ae8665c4603b63@shitposting.expert \
--to=stefan11111@shitposting.expert \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox