From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5585F158041 for ; Sun, 31 Mar 2024 22:41:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1A695E2A0B; Sun, 31 Mar 2024 22:41:32 +0000 (UTC) Received: from aya.dale.ro (dale.ro [81.196.105.36]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5E5DBE29FD for ; Sun, 31 Mar 2024 22:41:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by aya.dale.ro (Postfix) with ESMTP id 26B3018C286A for ; Mon, 1 Apr 2024 01:41:30 +0300 (EEST) X-Virus-Scanned: amavisd-new at dale.ro Received: from aya.dale.ro ([127.0.0.1]) by localhost (ruja.dale.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0yif70JSIuXx for ; Mon, 1 Apr 2024 01:41:27 +0300 (EEST) Received: from [192.168.23.9] (m.dale.ro [82.78.3.65]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (prime256v1)) (No client certificate requested) by aya.dale.ro (Postfix) with ESMTPSA id A6D6E18B8834 for ; Mon, 1 Apr 2024 01:41:27 +0300 (EEST) Message-ID: Date: Mon, 1 Apr 2024 01:41:27 +0300 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-user] Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo To: gentoo-user@lists.gentoo.org References: <2676120.BddDVKsqQX@rogueboard> <718f30add8a1819a5cb3473433fdbf94efda96e0.camel@gentoo.org> <69c19a79-cf97-4389-a216-0c5857d3d602@dale.ro> <2f7d88227ae69e1928884204536bca4bdd0bd1af.camel@gentoo.org> Content-Language: en-US From: "Alexandru N. Barloiu" In-Reply-To: <2f7d88227ae69e1928884204536bca4bdd0bd1af.camel@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 18fb357f-3953-4256-a75a-638c972d3ccc X-Archives-Hash: 432ef08024544da3b6faea3d9396243f No argument from me. That JiaTan dude had other projects forked he was looking at. And none of them are good news. zstd. lz4. libarchive. squashfs-tools. But still, I think its good news if people already figured how to turn it off in a few days. On 4/1/2024 1:36 AM, Michael Orlitzky wrote: > On Mon, 2024-04-01 at 01:32 +0300, Alexandru N. Barloiu wrote: >> https://piaille.fr/@zeno/112185928685603910 >> >> There's an ENV var you can set that is a kill switch for the whole thing :) >> > For the part that we found :) > > The author of the backdoor had commit access to the upstream repository > for a long time: > > https://git.tukaani.org/?p=xz.git;a=search;s=Jia+Tan;st=author > > Personally I would be skeptical of running any version of any package > that he has touched. > >