A bold statement from Dirk Mueller on the OpenSUSE blog:
"Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here."
Two full months into Pop_OS now. While genereally happy, I struggle a bit with the system getting slower and slower over time, I need to reboot every 2-3 days to get back to normal. Resource monitors shows no havoc procresses and no excessive memory usage.
For some other reasons I installed openSUSE Tumbleweed in a VM with KDE 6 and now find it very tempting to switch. It was super fast and KDE seems just so much better at this point.
Switching distro is a huge PITA, so if you have any arguments against it, I would appreciate that before I go down that road 🙂
The certainty that you can walk out for a coffee ☕ on these 1649 packages being updated in Tumbleweed. Come back, reboot, good to go. The gecko rocks! #opensuse#tumbleweed
For our openSUSE #Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited
FYI openSUSE Tumbleweed users, the downgrade to the xz library to roll it back to 5.4.6 is already in place (you can check by seeing the update target version) so update now (to do the downgrade) if you haven't already.
openSUSE maintainers received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library. Background Security Researcher ...
OpenSSH in openSUSE also seems to be patched to link to libsystemd, thus linking to liblzma. Hence, Tumbleweed should be affected. 😔 #openSUSE#Linux#liblzma#lzma#xz#ssh#infosec
openSUSE addresses supply chain attack against xz compression library (news.opensuse.org)
openSUSE maintainers received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library. Background Security Researcher ...