My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.
But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?
only someone running arch or debian sid or an bleeding edge rolling release on an internet exposed ssh port. the idea of that configuration would sound ludicrous. even so we should be building off git repos not tar balls.
the weird part this situation has made me feel safer. the amount of work that went into social engineering this and it only lasted a month tops for people that run distros that would just not be or should not be used as an exposed server ever.
it shows open source works. This is more embarrassing than anything and we deserve it. We need to pay core library devs and have a mechanism that core libraries can be handed off to a trusted org.while another upstream maintainer can be found or the project shut down and other projects move away from the un maintained project. When the person maintaining the project gets burned out or has other issues.
From the archlinux.org news post on the issue.
oh 100% i was just taking in general of upstream bleeding edge distro being vulnerable to this kind of upstream attack not specific to xz
why does everyone keep mentioning arch?
Because Arch was one of the distros that distributed the backdoored xz package, though they claim no vulnerability to due to their implementation.
so… they didn’t distribute the backdoored package did they?
Bruh ask Google the question instead of making a stranger figure it out for you. If you want an answer typed up for you go ask a LLM.
I already knew the answer. arch was not affected. hence why i asmed why it kept being mentioned.
I wasn’t asking if arch was affected. I was asking why you keep regurgitating this clearly wrong information (if you bothered to google it, of course)
So no, google could not have answered my question. And if you do use llms for answers, I feel sorry for you
I’m not sure I agree with that, Arch 100% should continue to be mentioned. Just because the Trojan didn’t launch due to the fact that Arch’s environment didn’t meet its criteria, doesn’t mean you should keep a known malicious package on your system.
People keep preaching to the heavens that Arch was not affected by it, but they don’t always state that Arch was infected by it, it just never binds the library to SSHD like Debian systems do (for systemd notifications) so the attack vector is never made.
The arch Wiki official statement on it is that you should remove the malicious package and do a full system update. Which should be common sense, but people have to be aware that the system is infected by it in order to know that they have to remove it. A process that if Arch was never mentioned as being involved users wouldn’t think to do