🍥 Debian Decided to Postpone the 12.6 Release | Linuxiac
「 Without a doubt, the deliberate infiltration of backdoored upstream XZ tarballs into the Debian sid repository a few days ago, allowing remote SSH access without authentication, sparked a real storm in the Linux community 」
There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.
Most of my feed on the #xzorcist#xz mess is solution-eering on ideas for paying maintainers. It implies the way to fix this is to simply pay people for their time.
I am not seeing something else though. Has anyone actually asked the maintainer what they want? What if that answer was not money? What if it was "I don't want to do this anymore?"
Regardless of the answer this time around, we should be prepared to boldly face these types of answers too.
many Russian & Chinese names seen as maintainers or key commiter atributations of xz & liblzma:
Larhzu (username of "Lasse Collin")
Jia Tan
Chan Tsune
Wei Dai
Sergey Kosukhin
Igor Pavlov
Ilya Kurdyukov
Dimitri Papadopoulos
DISCLAIMER: This is NOT exhaustive search, just quick. And having one's name in this list does NOT imply guilt or malfeasance, and its possible its all an innocent coincidence! But given what we know about Chin & Rus gov backed hacking/infiltration attempts...
Lasse Collin's patch-series updating the #LinuxKernel's #xz code that a few days ago hit #linux-next was dropped for now until backdooring of upstream xz is understood better:
Learning about the gcc attribute ((ifunc ("resolve_xxx"))) construct is making me wonder what the hell the person who thought it up was drinking, smoking or eating, and the code review team too.
I'm struggling to think of a reasonable usecase for this monstrosity of a construct.
Realistically, any contributions by JiaT75 should be retroactively audited.
Not gonna look into it too deep as I'm working right now, but they seem to maintain a unit testing framework – seems pretty dead, but a testing framework certainly sounds like the sort of thing that would be in a good position to fuck with software supply chains.