From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6AE5C158041 for ; Sun, 31 Mar 2024 11:32:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7F12DE2A69; Sun, 31 Mar 2024 11:32:17 +0000 (UTC) Received: from mail.pissmail.com (mail.pissmail.com [173.249.47.55]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 12DFEE2A5C for ; Sun, 31 Mar 2024 11:32:16 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shitposting.expert; s=dkim; t=1711884734; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kHgWxKs1bFg0WAtoL+GjINtWRjGJF3PTqoInuImHvmg=; b=RXeMj8N76+I2PRAaMEI5WVM66qRfoNB7iql6ditkrN9h6Rhz7/DGMIh7LA0fSvQ9ThLQId QkAL7zRdjNJyrL2/jg78mujD/MM9bHJwQWE2B2LhElFcwxA5qBfw8f+9hfWg4kfJtVCdfr BqdioxtHTixPBFUy0B72wvJ/r1E9Zp912Gyt834Amf+QcOGJxtoPD2CwPDPY6qV8S/LtOz RFoHLr23IMsl7S+BOBp4s6ubsIdv041Flp9GZ5aX5cb+UXVvvQTwMOSIyCM/iFMBBnI0Kv jaD3OSyhS/6iZNvumRqWvs6ov2iJhY1iDnozcfj+fyUNjKEYStbTDsWmtXABdg== Date: Sun, 31 Mar 2024 11:32:14 +0000 From: stefan11111 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo In-Reply-To: References: Message-ID: X-Sender: stefan11111@shitposting.expert Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: / Authentication-Results: mail.pissmail.com; auth=pass smtp.mailfrom=stefan11111@shitposting.expert X-Archives-Salt: e0d4ad38-8482-4fc7-b484-d9e4a10980a2 X-Archives-Hash: 75473a901a7ce9134f13fdb0ae6035ae On 2024-03-31 01:33, Eli Schwartz wrote: > On 3/29/24 11:07 PM, Eddie Chapman wrote: >> Given what we've learnt in the last 24hrs about xz utilities, you >> could >> forgive a paranoid person for seriously considering getting rid >> entirely >> of them from their systems, especially since there are suitable >> alternatives available. Some might say that's a bit extreme, xz-utils >> will get a thorough audit and it will all be fine. But when a >> malicious >> actor has been a key maintainer of something as complex as a >> decompression >> utility for years, I'm not sure I could ever trust that codebase >> again. >> Maybe a complete rewrite will emerge, but I'm personally unwilling to >> continue using xz utils in the meantime for uncompressing anything on >> my >> systems, even if it is done by an unprivileged process. > > > It suffices to downgrade to the version of xz before a social > engineering attack by a malicious actor to gain maintainership of the > xz > project. > > Have you been linked to this yet? > https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html > Wed, 29 Jun 2022 13:07:07 -0700 This is 2 years ago. Had I seen someone say that a bad actor would spend years gaining the trust of FOSS project maintainers in order to gain commit access and introduce such sophisticated back doors, I would have told them to take their meds. This is insane. Not even this seems impossible anymore: https://01.me/en/2014/11/insert-backdoor-into-compiler/ If this happened to something like firefox, I don't think anyone would have found out. No one bats an eye if a website loads 0.5s longer. -- Linux-gentoo-x86_64-Intel-R-_Core-TM-_i5-7400_CPU_@_3.00GHz COMMON_FLAGS="-O3 -pipe -march=native -fno-stack-protector -ftree-vectorize -ffast-math -funswitch-loops -fuse-linker-plugin -flto -fdevirtualize-at-ltrans -fno-plt -fno-semantic-interposition -falign-functions=64 -fgraphite-identity -floop-nest-optimize" USE="-* git verify-sig rsync-verify man alsa X grub ssl ipv6 lto libressl olde-gentoo asm native-symlinks threads jit jumbo-build minimal strip system-man" INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /lib/udev /usr/share/icons /usr/share/applications /usr/share/gtk-3.0/emoji"