CINXE.COM
Very annoying - the apparent author of the backdoor was in communication with me... | Hacker News
<html lang="en" op="item"><head><meta name="referrer" content="origin"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="stylesheet" type="text/css" href="news.css?XYhOlxRBVkdDcppwPBZc"> <link rel="icon" href="y18.svg"> <link rel="canonical" href="https://news.ycombinator.com/item?id=39866275"/> <title>Very annoying - the apparent author of the backdoor was in communication with me... | Hacker News</title></head><body><center><table id="hnmain" border="0" cellpadding="0" cellspacing="0" width="85%" bgcolor="#f6f6ef"> <tr><td bgcolor="#ff6600"><table border="0" cellpadding="0" cellspacing="0" width="100%" style="padding:2px"><tr><td style="width:18px;padding-right:4px"><a href="https://news.ycombinator.com"><img src="y18.svg" width="18" height="18" style="border:1px white solid; display:block"></a></td> <td style="line-height:12pt; height:10px;"><span class="pagetop"><b class="hnname"><a href="news">Hacker News</a></b> <a href="newest">new</a> | <a href="front">past</a> | <a href="newcomments">comments</a> | <a href="ask">ask</a> | <a href="show">show</a> | <a href="jobs">jobs</a> | <a href="submit" rel="nofollow">submit</a> </span></td><td style="text-align:right;padding-right:4px;"><span class="pagetop"> <a href="login?goto=item%3Fid%3D39866275">login</a> </span></td> </tr></table></td></tr> <tr id="pagespace" title="Very annoying - the apparent author of the backdoor was in communication with me..." style="height:10px"></tr><tr><td><table class="fatitem" border="0"> <tr class='athing' id='39866275'> <td class='ind'></td><td valign="top" class="votelinks"> <center><a id='up_39866275' href='vote?id=39866275&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=rwmj" class="hnuser">rwmj</a> <span class="age" title="2024-03-29T16:55:23 1711731323"><a href="item?id=39866275">11 months ago</a></span> <span id="unv_39866275"></span> <span class='navs'> | <a href="item?id=39865810">parent</a> | <a href="context?id=39866275" rel="nofollow">context</a> | <a href="fave?id=39866275&auth=528b9a894493901d65314173c348dce5ad6d4b4b">favorite</a><span class="onstory"> | on: <a href="item?id=39865810" title="Backdoor in upstream xz/liblzma leading to SSH server compromise">Backdoor in upstream xz/liblzma leading to SSH ser...</a></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.<p>He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.</div> <div class='reply'></div></div></td></tr> </table><br><br><table border="0" class='comment-tree'> <tr class='athing comtr' id='39870098'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39870098' href='vote?id=39870098&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-29T23:16:13 1711754173"><a href="item?id=39870098">11 months ago</a></span> <span id="unv_39870098"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870098" n="40" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">GitHub has suspended @JiaT75's account.<p>EDIT: Lasse Collin's account @Larhzu has also been suspended.<p>EDIT: Github has disabled all Tukaani repositories, including downloads from the releases page.<p>--<p>EDIT: Just did a bit of poking. xz-embedded was touched by Jia as well and it appears to be used in the linux kernel. I did quick look and it doesn't appear Jia touched anything of interest in there. I also checked the previous mirror at the tukaani project website, and nothing was out of place other than lagging a few commits behind:<p><a href="https://gist.github.com/Qix-/f1a1b9a933e8847f56103bc14783ab7b" rel="nofollow">https://gist.github.com/Qix-/f1a1b9a933e8847f56103bc14783ab7...</a><p>--<p>Here's a mailing list message from them ca. 2022.<p><a href="https://listor.tp-sv.se/pipermail/tp-sv_listor.tp-sv.se/2022-November/000802.html" rel="nofollow">https://listor.tp-sv.se/pipermail/tp-sv_listor.tp-sv.se/2022...</a><p>--<p>MinGW w64 on AUR was last published by Jia on Feb 29: <a href="https://aur.archlinux.org/cgit/aur.git/log/?h=mingw-w64-xz" rel="nofollow">https://aur.archlinux.org/cgit/aur.git/log/?h=mingw-w64-xz</a> (found by searching their public key: 22D465F2B4C173803B20C6DE59FCF207FEA7F445)<p>--<p>pacman-static on AUR still lists their public key as a contributor, xz was last updated to 5.4.5 on 17-11-2023: <a href="https://aur.archlinux.org/cgit/aur.git/?h=pacman-static" rel="nofollow">https://aur.archlinux.org/cgit/aur.git/?h=pacman-static</a><p>EDIT: I've emailed the maintainer to have the key removed.<p>--<p>Alpine was patched as of 6 hours ago.<p><a href="https://git.alpinelinux.org/aports/commit/?id=982d2c6bcbbb579e85bb27c40be84072ca0b1fd9" rel="nofollow">https://git.alpinelinux.org/aports/commit/?id=982d2c6bcbbb57...</a><p>--<p>OpenSUSE is still listing Jia's public key: <a href="https://sources.suse.com/SUSE:SLE-15-SP6:GA/xz/576e550c49a3667a44b6375fb28916e5/xz.keyring" rel="nofollow">https://sources.suse.com/SUSE:SLE-15-SP6:GA/xz/576e550c49a36...</a> (cross-ref with <a href="https://web.archive.org/web/20240329235153/https://tukaani.org/misc/jia_tan_pubkey.txt" rel="nofollow">https://web.archive.org/web/20240329235153/https://tukaani.o...</a>)<p>EDIT: Spoke with some folks in the package channel on libera, seems to be a non-issue. It is not used as attestation nor an ACL.<p>--<p>Arch appears to still list Jia as an approved publisher, if I'm understanding this page correctly.<p><a href="https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/blob/main/keys/pgp/22D465F2B4C173803B20C6DE59FCF207FEA7F445.asc" rel="nofollow">https://gitlab.archlinux.org/archlinux/packaging/packages/xz...</a><p>EDIT: Just sent an email to the last committer to bring it to their attention.<p>EDIT: It's been removed.<p>--<p>jiatan's Libera info indicates they registered on Dec 12 13:43:12 2022 with no timezone information.<p><pre><code> -NickServ- Information on jiatan (account jiatan): -NickServ- Registered : Dec 12 13:43:12 2022 +0000 (1y 15w 3d ago) -NickServ- Last seen : (less than two weeks ago) -NickServ- User seen : (less than two weeks ago) -NickServ- Flags : HideMail, Private -NickServ- jiatan has enabled nick protection -NickServ- *** End of Info *** </code></pre> /whowas expired not too long ago, unfortunately. If anyone has it I'd love to know.<p>They are not registered on freenode.<p>EDIT: Libera has stated they have not received any requests for information from any agencies as of yet (30th Saturday March 2024 00:39:31 UTC).<p>EDIT: Jia Tan was using a VPN to connect; that's all I'll be sharing here.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871231'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39871231' href='vote?id=39871231&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T02:17:05 1711765025"><a href="item?id=39871231">11 months ago</a></span> <span id="unv_39871231"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39873943" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871231" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Just for posterity since I can no longer edit: Libera staff has been firm and unrelenting in their position not to disclose anything whatsoever about the account. I obtained the last point on my own. Libera has made it clear they will not budge on this topic, which I applaud and respect. They were not involved whatsoever in ascertaining a VPN was used, and since that fact makes anything else about the connection information moot, there's nothing else to say about it.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr coll' id='39876042'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks nosee"> <center><img src="s.gif" height="1" width="14"></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Fnoord" class="hnuser">Fnoord</a> <span class="age" title="2024-03-30T15:55:29 1711814129"><a href="item?id=39876042">11 months ago</a></span> <span id="unv_39876042"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39871231" class="clicky" aria-hidden="true">parent</a> | <a href="#39873943" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876042" n="5" href="javascript:void(0)">[5 more]</a><span class="onstory"></span> </span> </span></div><br><div class="comment noshow"> [flagged] <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39876224'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39876224' href='vote?id=39876224&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T16:19:11 1711815551"><a href="item?id=39876224">11 months ago</a></span> <span id="unv_39876224"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876042" class="clicky" aria-hidden="true">parent</a> | <a href="#39876161" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876224" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I am not LE nor a government official. I did not present a warrant of any kind. I asked in a channel about it. Libera refused to provide information. Libera respecting the privacy of users is of course something I applaud and respect. Why wouldn't I?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39876161'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39876161' href='vote?id=39876161&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=freeone3000" class="hnuser">freeone3000</a> <span class="age" title="2024-03-30T16:10:32 1711815032"><a href="item?id=39876161">11 months ago</a></span> <span id="unv_39876161"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876042" class="clicky" aria-hidden="true">parent</a> | <a href="#39876224" class="clicky" aria-hidden="true">prev</a> | <a href="#39878877" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876161" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Respect not giving out identifying information on individuals whenever someone asks, no matter what company they work for and what job they do? Yes. I respect this.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39878877'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39878877' href='vote?id=39878877&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=flykespice" class="hnuser">flykespice</a> <span class="age" title="2024-03-30T21:32:02 1711834322"><a href="item?id=39878877">11 months ago</a></span> <span id="unv_39878877"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876042" class="clicky" aria-hidden="true">parent</a> | <a href="#39876161" class="clicky" aria-hidden="true">prev</a> | <a href="#39876618" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39878877" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It's called keeping integrity on not disclosing private info any users from your network, regardless whether they are bad actors.<p>I respect them for that.<p>Violating that code is just as bad as the bad actor slipping backdoors.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39876618'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39876618' href='vote?id=39876618&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=supposemaybe" class="hnuser">supposemaybe</a> <span class="age" title="2024-03-30T17:11:23 1711818683"><a href="item?id=39876618">11 months ago</a></span> <span id="unv_39876618"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876042" class="clicky" aria-hidden="true">parent</a> | <a href="#39878877" class="clicky" aria-hidden="true">prev</a> | <a href="#39873943" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876618" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I hope you aren’t in control of any customer data.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873943'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39873943' href='vote?id=39873943&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=reisse" class="hnuser">reisse</a> <span class="age" title="2024-03-30T11:47:59 1711799279"><a href="item?id=39873943">11 months ago</a></span> <span id="unv_39873943"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39871231" class="clicky" aria-hidden="true">prev</a> | <a href="#39872693" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873943" n="16" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">> EDIT: Github has disabled all Tukaani repositories, including downloads from the releases page.<p>Why? Isn't it better to freeze them and let as many people as possible analyze the code?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874159'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39874159' href='vote?id=39874159&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T12:22:53 1711801373"><a href="item?id=39874159">11 months ago</a></span> <span id="unv_39874159"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873943" class="clicky" aria-hidden="true">parent</a> | <a href="#39874587" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874159" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Good question, though I can imagine they took this action for two reasons:<p>1. They don't have the ability to freeze repos (i.e. would require some engineering effort to implement it), as I've never seen them do that before.<p>2. Many distros (and I assume many enterprises) were still linking to the GitHub releases to source the infected tarballs for building. Disabling the repo prevents that.<p>The infected tarballs and repo are still available elsewhere for researchers to find, too.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874389'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39874389' href='vote?id=39874389&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=nihilanth" class="hnuser">nihilanth</a> <span class="age" title="2024-03-30T12:54:05 1711803245"><a href="item?id=39874389">11 months ago</a></span> <span id="unv_39874389"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39874159" class="clicky" aria-hidden="true">parent</a> | <a href="#39874587" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874389" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">They could always archive it. Theoretically (and I mean theoretically only), there's another reason for Microsoft to prevent access to repo: if a nation state was involved, and there've been backdoor conversations to obfuscate the trail.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39877690'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39877690' href='vote?id=39877690&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jarfil" class="hnuser">jarfil</a> <span class="age" title="2024-03-30T19:11:47 1711825907"><a href="item?id=39877690">11 months ago</a></span> <span id="unv_39877690"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39874389" class="clicky" aria-hidden="true">parent</a> | <a href="#39874587" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39877690" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Archiving the repo doesn't stop the downloads. They would need to rename it in order to prevent distro CI/CD from keeping downloading untrustworthy stuff.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39904508'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39904508' href='vote?id=39904508&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-02T11:26:56 1712057216"><a href="item?id=39904508">11 months ago</a></span> <span id="unv_39904508"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39877690" class="clicky" aria-hidden="true">parent</a> | <a href="#39874587" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39904508" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Distros downloading directly from GitHub deserve what they get.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874587'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39874587' href='vote?id=39874587&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=AtNightWeCode" class="hnuser">AtNightWeCode</a> <span class="age" title="2024-03-30T13:18:35 1711804715"><a href="item?id=39874587">11 months ago</a></span> <span id="unv_39874587"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873943" class="clicky" aria-hidden="true">parent</a> | <a href="#39874159" class="clicky" aria-hidden="true">prev</a> | <a href="#39874150" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874587" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Maybe one can get the code from here. New commits being added it seems.<p><a href="https://git.tukaani.org/" rel="nofollow">https://git.tukaani.org/</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876115'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39876115' href='vote?id=39876115&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=ptx" class="hnuser">ptx</a> <span class="age" title="2024-03-30T16:04:56 1711814696"><a href="item?id=39876115">11 months ago</a></span> <span id="unv_39876115"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39874587" class="clicky" aria-hidden="true">parent</a> | <a href="#39874150" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876115" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">The latest commit is interesting (f9cf4c05edd14, "Fix sabotaged Landlock sandbox check").<p>It looks like one of Jia Tan's commits (328c52da8a2) added a stray "." character to a piece of C code that was part of a check for sandboxing support, which I guess would cause the code to fail to compile, causing the check to fail, causing the sandboxing to be disabled.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876466'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39876466' href='vote?id=39876466&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T16:53:39 1711817619"><a href="item?id=39876466">11 months ago</a></span> <span id="unv_39876466"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876115" class="clicky" aria-hidden="true">parent</a> | <a href="#39878307" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876466" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Lasse has also started his own documentation on the incident.<p><a href="https://tukaani.org/xz-backdoor/" rel="nofollow">https://tukaani.org/xz-backdoor/</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39878307'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39878307' href='vote?id=39878307&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=josefx" class="hnuser">josefx</a> <span class="age" title="2024-03-30T20:28:06 1711830486"><a href="item?id=39878307">11 months ago</a></span> <span id="unv_39878307"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876115" class="clicky" aria-hidden="true">parent</a> | <a href="#39876466" class="clicky" aria-hidden="true">prev</a> | <a href="#39904555" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39878307" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Shouldn't they have tests running to ensure that the check works on at least some systems?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39883011'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39883011' href='vote?id=39883011&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=windenntw" class="hnuser">windenntw</a> <span class="age" title="2024-03-31T10:30:50 1711881050"><a href="item?id=39883011">11 months ago</a></span> <span id="unv_39883011"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39878307" class="clicky" aria-hidden="true">parent</a> | <a href="#39904555" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39883011" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">What do you mean "tests"?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39893948'><td><table border='0'> <tr> <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks"> <center><a id='up_39893948' href='vote?id=39893948&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=josefx" class="hnuser">josefx</a> <span class="age" title="2024-04-01T13:25:56 1711977956"><a href="item?id=39893948">11 months ago</a></span> <span id="unv_39893948"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39883011" class="clicky" aria-hidden="true">parent</a> | <a href="#39904555" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39893948" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Have a system were you wxpect the sandboxing to work and have an automated check that it compiles there?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39904607'><td><table border='0'> <tr> <td class='ind' indent='7'><img src="s.gif" height="1" width="280"></td><td valign="top" class="votelinks"> <center><a id='up_39904607' href='vote?id=39904607&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=ptx" class="hnuser">ptx</a> <span class="age" title="2024-04-02T11:42:28 1712058148"><a href="item?id=39904607">11 months ago</a></span> <span id="unv_39904607"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39893948" class="clicky" aria-hidden="true">parent</a> | <a href="#39904555" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39904607" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Part of the backdoor was in the tests. The attacker in this case could easily have sabotaged the test as well if a test was required.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39904555'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39904555' href='vote?id=39904555&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-02T11:34:39 1712057679"><a href="item?id=39904555">11 months ago</a></span> <span id="unv_39904555"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876115" class="clicky" aria-hidden="true">parent</a> | <a href="#39878307" class="clicky" aria-hidden="true">prev</a> | <a href="#39874150" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39904555" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">If your project becomes complex enough eventually you need tests for the configure step. Even without malicious actors its easy to miss that a compiler or system change broke some check.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874150'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39874150' href='vote?id=39874150&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Sebb767" class="hnuser">Sebb767</a> <span class="age" title="2024-03-30T12:21:40 1711801300"><a href="item?id=39874150">11 months ago</a></span> <span id="unv_39874150"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873943" class="clicky" aria-hidden="true">parent</a> | <a href="#39874587" class="clicky" aria-hidden="true">prev</a> | <a href="#39875889" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874150" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">You can still find the source everywhere, if you look for it. Having a fine-looking page distribute vulnerable source code is a much bigger threat.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875889'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39875889' href='vote?id=39875889&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=godelski" class="hnuser">godelski</a> <span class="age" title="2024-03-30T15:40:19 1711813219"><a href="item?id=39875889">11 months ago</a></span> <span id="unv_39875889"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873943" class="clicky" aria-hidden="true">parent</a> | <a href="#39874150" class="clicky" aria-hidden="true">prev</a> | <a href="#39875583" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875889" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">You can find it on archive. Someone archived it last night</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr coll' id='39875583'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks nosee"> <center><img src="s.gif" height="1" width="14"></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=megous" class="hnuser">megous</a> <span class="age" title="2024-03-30T15:11:03 1711811463"><a href="item?id=39875583">11 months ago</a></span> <span id="unv_39875583"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873943" class="clicky" aria-hidden="true">parent</a> | <a href="#39875889" class="clicky" aria-hidden="true">prev</a> | <a href="#39872693" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875583" n="2" href="javascript:void(0)">[2 more]</a><span class="onstory"></span> </span> </span></div><br><div class="comment noshow"> [flagged] <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39876261'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39876261' href='vote?id=39876261&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T16:23:17 1711815797"><a href="item?id=39876261">11 months ago</a></span> <span id="unv_39876261"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39875583" class="clicky" aria-hidden="true">parent</a> | <a href="#39872693" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876261" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Don't agree here. I've only ever seen GitHub do this in extreme circumstances where they were <i>absolutely</i> warranted.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872693'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39872693' href='vote?id=39872693&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Phenylacetyl" class="hnuser">Phenylacetyl</a> <span class="age" title="2024-03-30T07:37:50 1711784270"><a href="item?id=39872693">11 months ago</a></span> <span id="unv_39872693"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39873943" class="clicky" aria-hidden="true">prev</a> | <a href="#39873022" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872693" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">The alpine patch includes gettext-dev which is likely also exploited as the same authors have been pushing gettext to projects where their changes have been questioned</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873830'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39873830' href='vote?id=39873830&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jwilk" class="hnuser">jwilk</a> <span class="age" title="2024-03-30T11:28:17 1711798097"><a href="item?id=39873830">11 months ago</a></span> <span id="unv_39873830"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39872693" class="clicky" aria-hidden="true">parent</a> | <a href="#39873022" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873830" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">What do you mean?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874698'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39874698' href='vote?id=39874698&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=everybackdoor" class="hnuser">everybackdoor</a> <span class="age" title="2024-03-30T13:32:59 1711805579"><a href="item?id=39874698">11 months ago</a></span> <span id="unv_39874698"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873830" class="clicky" aria-hidden="true">parent</a> | <a href="#39873022" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874698" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Look at the newest commits, do you see anything suspicious:<p><a href="https://git.alpinelinux.org/aports/log/main/gettext" rel="nofollow">https://git.alpinelinux.org/aports/log/main/gettext</a><p>libunistring could also be affected as that has also been pushed there</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875338'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39875338' href='vote?id=39875338&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=whoopdedo" class="hnuser">whoopdedo</a> <span class="age" title="2024-03-30T14:41:21 1711809681"><a href="item?id=39875338">11 months ago</a></span> <span id="unv_39875338"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39874698" class="clicky" aria-hidden="true">parent</a> | <a href="#39876145" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875338" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Seeing so many commits that are "skip failing test" is a very strong code smell.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39893056'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39893056' href='vote?id=39893056&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gray_-_wolf" class="hnuser">gray_-_wolf</a> <span class="age" title="2024-04-01T11:40:56 1711971656"><a href="item?id=39893056">11 months ago</a></span> <span id="unv_39893056"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39875338" class="clicky" aria-hidden="true">parent</a> | <a href="#39876145" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39893056" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Yes, but it is often a sad reality of trying to run projects mainly written for glibc on musl. Not many people write portable C these days.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39904581'><td><table border='0'> <tr> <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks"> <center><a id='up_39904581' href='vote?id=39904581&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-02T11:40:22 1712058022"><a href="item?id=39904581">11 months ago</a></span> <span id="unv_39904581"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39893056" class="clicky" aria-hidden="true">parent</a> | <a href="#39876145" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39904581" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It's still the wrong way to go about things. Tests are there for a reason, meaning if they fail you should try to understand them to the point where you can fix the problem (broken test or actual bug) instead of just wantonly distabling tests until you get a green light.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876145'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39876145' href='vote?id=39876145&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jwilk" class="hnuser">jwilk</a> <span class="age" title="2024-03-30T16:08:38 1711814918"><a href="item?id=39876145">11 months ago</a></span> <span id="unv_39876145"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39874698" class="clicky" aria-hidden="true">parent</a> | <a href="#39875338" class="clicky" aria-hidden="true">prev</a> | <a href="#39873022" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876145" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">> do you see anything suspicious<p>No.<p>> libunistring could also be affected as that has also been pushed there<p>What do you mean by "that"?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873022'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39873022' href='vote?id=39873022&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=mook" class="hnuser">mook</a> <span class="age" title="2024-03-30T08:50:34 1711788634"><a href="item?id=39873022">11 months ago</a></span> <span id="unv_39873022"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39872693" class="clicky" aria-hidden="true">prev</a> | <a href="#39877321" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873022" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">FWIW, that's mingw-w64-xz (cross-compiled xz utils) in AUR, not ming-w64 (which would normally refer to the compiler toolchain itself).</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873395'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39873395' href='vote?id=39873395&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T10:05:01 1711793101"><a href="item?id=39873395">11 months ago</a></span> <span id="unv_39873395"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39873022" class="clicky" aria-hidden="true">parent</a> | <a href="#39877321" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873395" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Good catch, thanks :)</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39877321'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39877321' href='vote?id=39877321&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=junon" class="hnuser">junon</a> <span class="age" title="2024-03-30T18:25:08 1711823108"><a href="item?id=39877321">11 months ago</a></span> <span id="unv_39877321"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39873022" class="clicky" aria-hidden="true">prev</a> | <a href="#39876938" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39877321" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It appears to be an RCE, not a public key bypass: <a href="https://news.ycombinator.com/item?id=39877312">https://news.ycombinator.com/item?id=39877312</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876938'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39876938' href='vote?id=39876938&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=mikolajw" class="hnuser">mikolajw</a> <span class="age" title="2024-03-30T17:45:08 1711820708"><a href="item?id=39876938">11 months ago</a></span> <span id="unv_39876938"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39877321" class="clicky" aria-hidden="true">prev</a> | <a href="#39876757" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876938" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I've posted an earlier WHOWAS of jiatan here: <a href="https://news.ycombinator.com/item?id=39868773">https://news.ycombinator.com/item?id=39868773</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876757'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39876757' href='vote?id=39876757&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=hypnagogic" class="hnuser">hypnagogic</a> <span class="age" title="2024-03-30T17:26:44 1711819604"><a href="item?id=39876757">11 months ago</a></span> <span id="unv_39876757"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39876938" class="clicky" aria-hidden="true">prev</a> | <a href="#39909926" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876757" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Asking this here too: why isn't there an automated A/B or diff match for the tarball contents to match the repo, auto-flag with a warning if that happens? Am I missing something here?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39877275'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39877275' href='vote?id=39877275&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=nolist_policy" class="hnuser">nolist_policy</a> <span class="age" title="2024-03-30T18:20:29 1711822829"><a href="item?id=39877275">11 months ago</a></span> <span id="unv_39877275"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39876757" class="clicky" aria-hidden="true">parent</a> | <a href="#39909926" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39877275" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">The tarballs mismatching from the git tree is a feature, not a bug. Projects that use submodules may want to include these and projects using autoconf may want to generate and include the configure script.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39884271'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39884271' href='vote?id=39884271&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=hypnagogic" class="hnuser">hypnagogic</a> <span class="age" title="2024-03-31T13:54:17 1711893257"><a href="item?id=39884271">11 months ago</a></span> <span id="unv_39884271"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39877275" class="clicky" aria-hidden="true">parent</a> | <a href="#39877418" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39884271" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">> The tarballs mismatching from the git tree is a feature, not a bug.<p>A feature which allowed the exploit to take place, let's put it that way.<p>Over here: <a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27" rel="nofollow">https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b...</a><p>> The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.<p>Multiple suggestions on that thread on how that's a legacy practice that might be outdated, especially in the current climate of cyber threats.<p>Someone even posted a more thorough gist on what could be done to increase transparency and reduce discrepancies between tarballs and repos: <a href="https://gist.github.com/smintrh78/97b5cb4d8332ea4808f25b47c80ac73d" rel="nofollow">https://gist.github.com/smintrh78/97b5cb4d8332ea4808f25b47c8...</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39877418'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39877418' href='vote?id=39877418&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=ano-ther" class="hnuser">ano-ther</a> <span class="age" title="2024-03-30T18:35:27 1711823727"><a href="item?id=39877418">11 months ago</a></span> <span id="unv_39877418"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39877275" class="clicky" aria-hidden="true">parent</a> | <a href="#39884271" class="clicky" aria-hidden="true">prev</a> | <a href="#39909926" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39877418" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Here is a longer explainer: <a href="https://www.redhat.com/en/blog/what-open-source-upstream" rel="nofollow">https://www.redhat.com/en/blog/what-open-source-upstream</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39884351'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39884351' href='vote?id=39884351&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=hypnagogic" class="hnuser">hypnagogic</a> <span class="age" title="2024-03-31T14:02:32 1711893752"><a href="item?id=39884351">11 months ago</a></span> <span id="unv_39884351"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39877418" class="clicky" aria-hidden="true">parent</a> | <a href="#39909926" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39884351" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">"lol"<p>> Those days are pretty much behind us. Sure, you can compile code and tweak software configurations if you want to--but most of the time, users don't want to. Organizations generally don't want to, they want to rely on certified products that they can vet for their environment and get support for. This is why enterprise open source exists. Users and organizations count on vendors to turn upstreams into coherent downstream products that meet their needs.<p>> In turn, vendors like Red Hat learn from customer requests and feedback about what features they need and want. That, then, benefits the upstream project in the form of new features and bugfixes, etc., and ultimately finds its way into products and the cycle continues.<p>"and when the upstream is tainted, everyone drinks poisoned water downstream, simple as that!"</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39909926'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39909926' href='vote?id=39909926&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=menomatter" class="hnuser">menomatter</a> <span class="age" title="2024-04-02T19:32:07 1712086327"><a href="item?id=39909926">11 months ago</a></span> <span id="unv_39909926"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">parent</a> | <a href="#39876757" class="clicky" aria-hidden="true">prev</a> | <a href="#39866936" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39909926" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">account is back online <a href="https://github.com/JiaT75">https://github.com/JiaT75</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39914643'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39914643' href='vote?id=39914643&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T07:47:14 1712130434"><a href="item?id=39914643">11 months ago</a></span> <span id="unv_39914643"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">root</a> | <a href="#39909926" class="clicky" aria-hidden="true">parent</a> | <a href="#39866936" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39914643" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Hopefully still locked just visible so people can find and alayze his contributions.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39866936'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39866936' href='vote?id=39866936&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=formerly_proven" class="hnuser">formerly_proven</a> <span class="age" title="2024-03-29T17:48:28 1711734508"><a href="item?id=39866936">11 months ago</a></span> <span id="unv_39866936"></span> <span class='navs'> | <a href="#39870098" class="clicky" aria-hidden="true">prev</a> | <a href="#39867078" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866936" n="17" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I think this has been in the making for almost a year. The whole ifunc infrastructure was added in June 2023 by Hans Jansen and Jia Tan. The initial patch is "authored by" Lasse Collin in the git metadata, but the code actually came from Hans Jansen: <a href="https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314">https://github.com/tukaani-project/xz/commit/ee44863ae88e377...</a><p>> Thanks to Hans Jansen for the original patch.<p><a href="https://github.com/tukaani-project/xz/pull/53">https://github.com/tukaani-project/xz/pull/53</a><p>There were a ton of patches by these two subsequently because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers. Subsequently the configure script was modified multiple times to detect the use of sanitizers and abort the build unless either the sanitizer was disabled or the use of ifuncs was disabled. That would've masked the payload in many testing and debugging environments.<p>The hansjans162 Github account was created in 2023 and the only thing it did was add this code to liblzma. The same name later applied to do a NMU at Debian for the vulnerable version. Another "<name><number>" account (which only appears here, once) then pops up and asks for the vulnerable version to be imported: <a href="https://www.mail-archive.com/search?l=debian-bugs-dist@lists.debian.org&q=from:%22krygorin4545%22" rel="nofollow">https://www.mail-archive.com/search?l=debian-bugs-dist@lists...</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39868390'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39868390' href='vote?id=39868390&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=bed99" class="hnuser">bed99</a> <span class="age" title="2024-03-29T20:02:16 1711742536"><a href="item?id=39868390">11 months ago</a></span> <span id="unv_39868390"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39872872" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39868390" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">1 week ago "Hans Jansen" user "hjansen" was created in debian and opened 8 PRs including the upgrade to 5.6.1 to xz-utils<p>From <a href="https://salsa.debian.org/users/hjansen/activity" rel="nofollow">https://salsa.debian.org/users/hjansen/activity</a><p>Author: Hans Jansen <hansjansen162@outlook.com><p>- [Debian Games / empire](<a href="https://salsa.debian.org/games-team/empire" rel="nofollow">https://salsa.debian.org/games-team/empire</a>): opened merge request "!2 New upstream version 1.17" - March 17, 2024<p>- [Debian Games / empire](<a href="https://salsa.debian.org/games-team/empire" rel="nofollow">https://salsa.debian.org/games-team/empire</a>): opened merge request "!1 Update to upstream 1.17" - March 17, 2024<p>- [Debian Games / libretro / libretro-core-info](<a href="https://salsa.debian.org/games-team/libretro/libretro-core-info" rel="nofollow">https://salsa.debian.org/games-team/libretro/libretro-core-i...</a>): opened merge request "!2 New upstream version 1.17.0" - March 17, 2024<p>- [Debian Games / libretro / libretro-core-info](<a href="https://salsa.debian.org/games-team/libretro/libretro-core-info" rel="nofollow">https://salsa.debian.org/games-team/libretro/libretro-core-i...</a>): opened merge request "!1 Update to upstream 1.17.0" - March 17, 2024<p>- [Debian Games / endless-sky](<a href="https://salsa.debian.org/games-team/endless-sky" rel="nofollow">https://salsa.debian.org/games-team/endless-sky</a>): opened merge request "!6 Update upstream branch to 0.10.6" - March 17, 2024<p>- [Debian Games / endless-sky](<a href="https://salsa.debian.org/games-team/endless-sky" rel="nofollow">https://salsa.debian.org/games-team/endless-sky</a>): opened merge request "!5 Update to upstream 0.10.6" - March 17, 2024<p>- [Debian / Xz Utils](<a href="https://salsa.debian.org/debian/xz-utils" rel="nofollow">https://salsa.debian.org/debian/xz-utils</a>): opened merge request "!1 Update to upstream 5.6.1" - March 17, 2024</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39868644'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39868644' href='vote?id=39868644&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=bombcar" class="hnuser">bombcar</a> <span class="age" title="2024-03-29T20:27:54 1711744074"><a href="item?id=39868644">11 months ago</a></span> <span id="unv_39868644"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39868390" class="clicky" aria-hidden="true">parent</a> | <a href="#39877938" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39868644" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">That looks exactly like what you'd want to see to disguise the actual request you want, a number of pointless upstream updates in things that are mostly ignored, and then the one you want.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39877938'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39877938' href='vote?id=39877938&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=detistea" class="hnuser">detistea</a> <span class="age" title="2024-03-30T19:43:20 1711827800"><a href="item?id=39877938">11 months ago</a></span> <span id="unv_39877938"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39868390" class="clicky" aria-hidden="true">parent</a> | <a href="#39868644" class="clicky" aria-hidden="true">prev</a> | <a href="#39872872" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39877938" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">glad I didn't merge it ...</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872872'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39872872' href='vote?id=39872872&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=formerly_proven" class="hnuser">formerly_proven</a> <span class="age" title="2024-03-30T08:13:31 1711786411"><a href="item?id=39872872">11 months ago</a></span> <span id="unv_39872872"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39868390" class="clicky" aria-hidden="true">prev</a> | <a href="#39867049" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872872" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Make it two years.<p>Jia Tan getting maintainer access looks like it is almost certainly to be part of the operation. Lasse Colling mentioned multiple times how Jia has helped off-list and to me it seems like Jia befriended Lasse as well (see how Lasse talks about them in 2023).<p>Also the pattern of astroturfing dates back to 2022. See for example this thread where Jia, who has helped at this point for a few weeks, posts a patch, and a <name><number>@protonmail (jigarkumar17) user pops up and then bumps the thread three times(!) lamenting the slowness of the project and pushing for Jia to get commit access: <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00553.html" rel="nofollow">https://www.mail-archive.com/xz-devel@tukaani.org/msg00553.h...</a><p>Naturally, like in the other instances of this happening, this user only appears once on the internet.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39867049'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39867049' href='vote?id=39867049&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=zb3" class="hnuser">zb3</a> <span class="age" title="2024-03-29T17:58:01 1711735081"><a href="item?id=39867049">11 months ago</a></span> <span id="unv_39867049"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39872872" class="clicky" aria-hidden="true">prev</a> | <a href="#39869538" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867049" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Also I saw this hans jansen user pushing for merging the 5.6.1 update in debian: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708" rel="nofollow">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869226'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39869226' href='vote?id=39869226&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=hxelk1" class="hnuser">hxelk1</a> <span class="age" title="2024-03-29T21:29:59 1711747799"><a href="item?id=39869226">11 months ago</a></span> <span id="unv_39869226"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39867049" class="clicky" aria-hidden="true">parent</a> | <a href="#39869538" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869226" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">From: krygorin4545 <krygorin4545@proton.me> To: "1067708@bugs.debian.org" <1067708@bugs.debian.org> Cc: "sebastian@breakpoint.cc" <sebastian@breakpoint.cc>, "bage@debian.org" <bage@debian.org> Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] -- XZ-format compression utilities Date: Tue, 26 Mar 2024 19:27:47 +0000<p>Also seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version will resolve it. Would like this new version so I can continue work.<p>--<p>Wow.<p>(Edited for clarity.)</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869538'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39869538' href='vote?id=39869538&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=amluto" class="hnuser">amluto</a> <span class="age" title="2024-03-29T22:10:46 1711750246"><a href="item?id=39869538">11 months ago</a></span> <span id="unv_39869538"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39867049" class="clicky" aria-hidden="true">prev</a> | <a href="#39867142" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869538" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Wow, what a big pile of infrastructure for a non-optimization.<p>An internal call via ifunc is not magic — it’s just a call via the GOT or PLT, which boils down to function pointers. An internal call through a hidden visibility function pointer (the right way to do this) is also a function pointer.<p>The <i>even better</i> solution is a plain old if statement, which implements the very very fancy “devirtualization” optimization, and the result will be effectively predicted on most CPUs and is not subject to the whole pile of issue that retpolines are needed to work around.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39915610'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39915610' href='vote?id=39915610&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T10:30:40 1712140240"><a href="item?id=39915610">11 months ago</a></span> <span id="unv_39915610"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39869538" class="clicky" aria-hidden="true">parent</a> | <a href="#39867142" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39915610" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Right, IFUNCs make sense for library function where you have the function pointer indirection anyway. Makes much less sense for internal functions - only argument over a regular function pointer would be the pointer being marked RO after it is resolved (if the library was linked with -z relro -z now), but an if avoids even that issue.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39867142'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39867142' href='vote?id=39867142&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=bluecheese33" class="hnuser">bluecheese33</a> <span class="age" title="2024-03-29T18:06:31 1711735591"><a href="item?id=39867142">11 months ago</a></span> <span id="unv_39867142"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39869538" class="clicky" aria-hidden="true">prev</a> | <a href="#39871674" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867142" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">> because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers<p>for example, <a href="https://github.com/google/oss-fuzz/pull/10667">https://github.com/google/oss-fuzz/pull/10667</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871674'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39871674' href='vote?id=39871674&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=snvzz" class="hnuser">snvzz</a> <span class="age" title="2024-03-30T03:46:44 1711770404"><a href="item?id=39871674">11 months ago</a></span> <span id="unv_39871674"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39867142" class="clicky" aria-hidden="true">prev</a> | <a href="#39867127" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871674" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">>Hans Jansen and Jia Tan<p>Are they really two people conspiring?<p>Unless proven otherwise, it is safe to assume one is just a pseudonym alias of the other.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871990'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39871990' href='vote?id=39871990&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=EasyMark" class="hnuser">EasyMark</a> <span class="age" title="2024-03-30T05:06:26 1711775186"><a href="item?id=39871990">11 months ago</a></span> <span id="unv_39871990"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39871674" class="clicky" aria-hidden="true">parent</a> | <a href="#39867127" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871990" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">or possibly just one person acting as two, or a group of people?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39971145'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39971145' href='vote?id=39971145&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=cutemonster" class="hnuser">cutemonster</a> <span class="age" title="2024-04-08T16:10:29 1712592629"><a href="item?id=39971145">10 months ago</a></span> <span id="unv_39971145"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39871990" class="clicky" aria-hidden="true">parent</a> | <a href="#39867127" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39971145" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Or a group managing many identities, backdooring many different projects</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39867127'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39867127' href='vote?id=39867127&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=zb3" class="hnuser">zb3</a> <span class="age" title="2024-03-29T18:04:02 1711735442"><a href="item?id=39867127">11 months ago</a></span> <span id="unv_39867127"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39871674" class="clicky" aria-hidden="true">prev</a> | <a href="#39875001" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867127" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Also I see this PR: <a href="https://github.com/tukaani-project/xz/pull/64">https://github.com/tukaani-project/xz/pull/64</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875001'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39875001' href='vote?id=39875001&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=tootie" class="hnuser">tootie</a> <span class="age" title="2024-03-30T14:03:29 1711807409"><a href="item?id=39875001">11 months ago</a></span> <span id="unv_39875001"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39867127" class="clicky" aria-hidden="true">prev</a> | <a href="#39967621" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875001" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Does anybody know anything about Jia Tan? Is it likely just a made up persona? Or is this a well-known person.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39899479'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39899479' href='vote?id=39899479&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=SZJX" class="hnuser">SZJX</a> <span class="age" title="2024-04-01T21:19:01 1712006341"><a href="item?id=39899479">11 months ago</a></span> <span id="unv_39899479"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">root</a> | <a href="#39875001" class="clicky" aria-hidden="true">parent</a> | <a href="#39967621" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39899479" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It’s certainly a pseudonym just like all the other personas we’ve seen popping up on the mailing list supporting this “Jia Tan” in these couple of years. For all intents and purposes they can be of any nationality until we know more.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39967621'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39967621' href='vote?id=39967621&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Ill_Yam_689" class="hnuser">Ill_Yam_689</a> <span class="age" title="2024-04-08T08:53:22 1712566402"><a href="item?id=39967621">10 months ago</a></span> <span id="unv_39967621"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">parent</a> | <a href="#39875001" class="clicky" aria-hidden="true">prev</a> | <a href="#39867078" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39967621" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It seems like Hans Jansen has also an account on proton.me (hansjansen162@proton.me) with the Outlook address configured as recovery-email.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39867078'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39867078' href='vote?id=39867078&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jonathanspw" class="hnuser">jonathanspw</a> <span class="age" title="2024-03-29T17:59:59 1711735199"><a href="item?id=39867078">11 months ago</a></span> <span id="unv_39867078"></span> <span class='navs'> | <a href="#39866936" class="clicky" aria-hidden="true">prev</a> | <a href="#39869132" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867078" n="14" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Yesterday sure was fun wasn't it :p Thanks for all your help/working with me on getting this cleaned up in Fedora.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875510'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39875510' href='vote?id=39875510&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=speleding" class="hnuser">speleding</a> <span class="age" title="2024-03-30T15:02:42 1711810962"><a href="item?id=39875510">11 months ago</a></span> <span id="unv_39875510"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">parent</a> | <a href="#39871629" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875510" n="11" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">PSA: I just noticed homebrew installed the compromised version on my Mac as a dependency of some other package. You may want to check this to see what version you get:<p><pre><code> xz --version </code></pre> Homebrew has already taken action, a `brew upgrade` will downgrade back to the last known good version.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875753'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39875753' href='vote?id=39875753&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jonahx" class="hnuser">jonahx</a> <span class="age" title="2024-03-30T15:28:41 1711812521"><a href="item?id=39875753">11 months ago</a></span> <span id="unv_39875753"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39875510" class="clicky" aria-hidden="true">parent</a> | <a href="#39875576" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875753" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I also had a homebrew installed affected version.<p>I understand it's unlikely, but is there anything I can do to check if the backdoor was used? Also any other steps I should take after "brew upgrade"?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876159'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39876159' href='vote?id=39876159&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=tomputer" class="hnuser">tomputer</a> <span class="age" title="2024-03-30T16:10:16 1711815016"><a href="item?id=39876159">11 months ago</a></span> <span id="unv_39876159"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39875753" class="clicky" aria-hidden="true">parent</a> | <a href="#39875576" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876159" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Quoting[1] from Homebrew on Github:<p>>> Looks like that Homebrew users (both macOS and Linux, both Intel and ARM) are unlikely affected?<p>> Correct. Though we do not appear to be affected, this revert was done out of an abundance of caution.<p>[1] <a href="https://github.com/Homebrew/homebrew-core/pull/167512">https://github.com/Homebrew/homebrew-core/pull/167512</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875576'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39875576' href='vote?id=39875576&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=mthoms" class="hnuser">mthoms</a> <span class="age" title="2024-03-30T15:10:22 1711811422"><a href="item?id=39875576">11 months ago</a></span> <span id="unv_39875576"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39875510" class="clicky" aria-hidden="true">parent</a> | <a href="#39875753" class="clicky" aria-hidden="true">prev</a> | <a href="#39883956" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875576" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Thanks for this. I just ran brew upgrade and the result was as you described:<p><pre><code> xz 5.6.1 -> 5.4.6</code></pre></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39883956'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39883956' href='vote?id=39883956&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=pmarreck" class="hnuser">pmarreck</a> <span class="age" title="2024-03-31T13:12:37 1711890757"><a href="item?id=39883956">11 months ago</a></span> <span id="unv_39883956"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39875510" class="clicky" aria-hidden="true">parent</a> | <a href="#39875576" class="clicky" aria-hidden="true">prev</a> | <a href="#39875800" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39883956" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">sorry, what exact version(s) is the one(s) affected again?<p>(or SHAs, etc.)<p>(EDIT: 5.6.0 and 5.6.1 ?)<p>(EDIT 2: Ooof, looks like the nix unstable channel uses xz 5.6.1 at this time)<p>I use Nix to manage this stuff on Mac, not Homebrew...</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39890543'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39890543' href='vote?id=39890543&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=redxtech" class="hnuser">redxtech</a> <span class="age" title="2024-04-01T03:04:39 1711940679"><a href="item?id=39890543">11 months ago</a></span> <span id="unv_39890543"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39883956" class="clicky" aria-hidden="true">parent</a> | <a href="#39875800" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39890543" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">GitHub disabled the xz repo, making it a bit more difficult for nix to revert to an older version. They've made a fix, but it will take several more days for the build systems to finish rebuilding the ~220,000 packages that depend on the bootstrap utils.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39891980'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39891980' href='vote?id=39891980&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=kreetx" class="hnuser">kreetx</a> <span class="age" title="2024-04-01T08:46:09 1711961169"><a href="item?id=39891980">11 months ago</a></span> <span id="unv_39891980"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39890543" class="clicky" aria-hidden="true">parent</a> | <a href="#39915629" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39891980" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Here is the discussion <a href="https://github.com/NixOS/nixpkgs/issues/300055">https://github.com/NixOS/nixpkgs/issues/300055</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39915629'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39915629' href='vote?id=39915629&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T10:33:50 1712140430"><a href="item?id=39915629">11 months ago</a></span> <span id="unv_39915629"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39890543" class="clicky" aria-hidden="true">parent</a> | <a href="#39891980" class="clicky" aria-hidden="true">prev</a> | <a href="#39875800" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39915629" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Lol they shouldn't be relying on GitHub in the first place.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39937920'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39937920' href='vote?id=39937920&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=rrrix1" class="hnuser">rrrix1</a> <span class="age" title="2024-04-05T01:50:47 1712281847"><a href="item?id=39937920">11 months ago</a></span> <span id="unv_39937920"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39915629" class="clicky" aria-hidden="true">parent</a> | <a href="#39875800" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39937920" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">What should they be relying on instead? Maybe rsync everything to an FTP server? Or Torrents? From your other comments, you seem to think no one should ever use GitHub for anything.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875800'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39875800' href='vote?id=39875800&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=cozzyd" class="hnuser">cozzyd</a> <span class="age" title="2024-03-30T15:33:27 1711812807"><a href="item?id=39875800">11 months ago</a></span> <span id="unv_39875800"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39875510" class="clicky" aria-hidden="true">parent</a> | <a href="#39883956" class="clicky" aria-hidden="true">prev</a> | <a href="#39876542" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875800" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Is it actually compromised on homebrew though? I guess we can't be sure but it seemed to be checking if it was being packaged as .deb or .rpm?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876542'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39876542' href='vote?id=39876542&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=erhaetherth" class="hnuser">erhaetherth</a> <span class="age" title="2024-03-30T17:02:40 1711818160"><a href="item?id=39876542">11 months ago</a></span> <span id="unv_39876542"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39875510" class="clicky" aria-hidden="true">parent</a> | <a href="#39875800" class="clicky" aria-hidden="true">prev</a> | <a href="#39871629" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876542" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Is 5.2.2 safe? Just 5.6.0 and 5.6.1 are bad?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871629'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39871629' href='vote?id=39871629&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=vbi8iBEX" class="hnuser">vbi8iBEX</a> <span class="age" title="2024-03-30T03:35:08 1711769708"><a href="item?id=39871629">11 months ago</a></span> <span id="unv_39871629"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">parent</a> | <a href="#39875510" class="clicky" aria-hidden="true">prev</a> | <a href="#39869132" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871629" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Is it normal that when I try to uninstall xz it is trying to install lzma?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872158'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39872158' href='vote?id=39872158&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=inetknght" class="hnuser">inetknght</a> <span class="age" title="2024-03-30T05:44:31 1711777471"><a href="item?id=39872158">11 months ago</a></span> <span id="unv_39872158"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">root</a> | <a href="#39871629" class="clicky" aria-hidden="true">parent</a> | <a href="#39869132" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872158" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It means that `xz` was depended upon by something that depends on eg "xz OR lzma"</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869132'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39869132' href='vote?id=39869132&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=userbinator" class="hnuser">userbinator</a> <span class="age" title="2024-03-29T21:19:09 1711747149"><a href="item?id=39869132">11 months ago</a></span> <span id="unv_39869132"></span> <span class='navs'> | <a href="#39867078" class="clicky" aria-hidden="true">prev</a> | <a href="#39869580" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869132" n="16" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00"><i>because of it's "great new features"</i><p>"great" for whom? I've seen enough of the industry to immediately feel suspicious when someone uses that sort of phrasing in an attempt to persuade me. It's no different from claiming a "better experience" or similar.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870992'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39870992' href='vote?id=39870992&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=LtWorf" class="hnuser">LtWorf</a> <span class="age" title="2024-03-30T01:30:59 1711762259"><a href="item?id=39870992">11 months ago</a></span> <span id="unv_39870992"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">parent</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870992" n="9" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I made a library where version 2 is really really much faster than version 1. I'd want everyone to just move to version 2.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871109'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39871109' href='vote?id=39871109&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Brian_K_White" class="hnuser">Brian_K_White</a> <span class="age" title="2024-03-30T01:53:37 1711763617"><a href="item?id=39871109">11 months ago</a></span> <span id="unv_39871109"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39870992" class="clicky" aria-hidden="true">parent</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871109" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">But then you are saying a specific great new feature, performance, and not just the claim and concept performance, but numbers.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872240'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39872240' href='vote?id=39872240&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=LtWorf" class="hnuser">LtWorf</a> <span class="age" title="2024-03-30T06:02:14 1711778534"><a href="item?id=39872240">11 months ago</a></span> <span id="unv_39872240"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39871109" class="clicky" aria-hidden="true">parent</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872240" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I'm sure they actually had new features…</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872690'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39872690' href='vote?id=39872690&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Brian_K_White" class="hnuser">Brian_K_White</a> <span class="age" title="2024-03-30T07:36:38 1711784198"><a href="item?id=39872690">11 months ago</a></span> <span id="unv_39872690"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39872240" class="clicky" aria-hidden="true">parent</a> | <a href="#39872372" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872690" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">What are they specifically?<p>I don't know how you can be missing the essence of the problem here or that comments point.<p>Vague claims are meaningless and valueless and are now even worse than that, they are a red flag.<p>Please don't tell me that you would accept a pr that didn't explain what it did, and why it did it, and how it did it, with code that actually matched up with the claim, and was all actually something you wanted or agreed was a good change to your project.<p>Updating to the next version of a library is completely unrelated. When you update a library, you don't know what all the changes were to the library, _but the librarys maintainers do_, and you essentially trust that librarys maintainers to be doing their job not accepting random patches that might do anything.<p>Updating a dependency and trusting a project to be sane is entirely a different prospect from accepting a pr and just trusting that the submitter only did things that are both well intentioned and well executed.<p>If you don't get this then I for sure will not be using or trusting <i>your</i> library.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872372'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39872372' href='vote?id=39872372&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=CanaryLayout" class="hnuser">CanaryLayout</a> <span class="age" title="2024-03-30T06:32:17 1711780337"><a href="item?id=39872372">11 months ago</a></span> <span id="unv_39872372"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39872240" class="clicky" aria-hidden="true">parent</a> | <a href="#39872690" class="clicky" aria-hidden="true">prev</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872372" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Yeah... RISCV routine was put in, then some binary test files were added later that are probably now suspect.<p>don't miss out on the quality code, like the line that has: i += 4 - 2;<p><a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=50255feeaabcc7e7db22b858a6bd64a9b5b4f16d;hp=db5eb5f563e8baa8d912ecf576f53391ff861596" rel="nofollow">https://git.tukaani.org/?p=xz.git;a=commitdiff;h=50255feeaab...</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873690'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39873690' href='vote?id=39873690&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jwilk" class="hnuser">jwilk</a> <span class="age" title="2024-03-30T11:03:32 1711796612"><a href="item?id=39873690">11 months ago</a></span> <span id="unv_39873690"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39872372" class="clicky" aria-hidden="true">parent</a> | <a href="#39872563" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873690" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">FWIW, "4 - 2" is explained earlier in the file:<p><pre><code> // The "-2" is included because the for-loop will // always increment by 2. In this case, we want to // skip an extra 2 bytes since we used 4 bytes // of input. i += 4 - 2;</code></pre></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872563'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39872563' href='vote?id=39872563&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gamer191" class="hnuser">gamer191</a> <span class="age" title="2024-03-30T07:13:58 1711782838"><a href="item?id=39872563">11 months ago</a></span> <span id="unv_39872563"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39872372" class="clicky" aria-hidden="true">parent</a> | <a href="#39873690" class="clicky" aria-hidden="true">prev</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872563" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">> some binary test files were added later that are probably now suspect<p>That's confirmed<p>From <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" rel="nofollow">https://www.openwall.com/lists/oss-security/2024/03/29/4</a>:<p>> The files containing the bulk of the exploit are in an obfuscated form in<p>> tests/files/bad-3-corrupt_lzma2.xz<p>> tests/files/good-large_compressed.lzma<p>> committed upstream. They were initially added in<p>> <a href="https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0">https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf...</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873585'><td><table border='0'> <tr> <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks"> <center><a id='up_39873585' href='vote?id=39873585&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=m0dest" class="hnuser">m0dest</a> <span class="age" title="2024-03-30T10:45:17 1711795517"><a href="item?id=39873585">11 months ago</a></span> <span id="unv_39873585"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39872563" class="clicky" aria-hidden="true">parent</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873585" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It probably makes sense to start isolating build processes from test case resources.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874345'><td><table border='0'> <tr> <td class='ind' indent='7'><img src="s.gif" height="1" width="280"></td><td valign="top" class="votelinks"> <center><a id='up_39874345' href='vote?id=39874345&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=saagarjha" class="hnuser">saagarjha</a> <span class="age" title="2024-03-30T12:47:25 1711802845"><a href="item?id=39874345">11 months ago</a></span> <span id="unv_39874345"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39873585" class="clicky" aria-hidden="true">parent</a> | <a href="#39870756" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874345" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Sure but then you can smuggle it into basically any other part of the build process…?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870756'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39870756' href='vote?id=39870756&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=SilasX" class="hnuser">SilasX</a> <span class="age" title="2024-03-30T00:55:22 1711760122"><a href="item?id=39870756">11 months ago</a></span> <span id="unv_39870756"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">parent</a> | <a href="#39870992" class="clicky" aria-hidden="true">prev</a> | <a href="#39869580" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870756" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">You can find more examples of that kind of puffer if you go to a website's cookie consent pop-up and find the clause after "we use cookies to...".</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871536'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39871536' href='vote?id=39871536&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=transcriptase" class="hnuser">transcriptase</a> <span class="age" title="2024-03-30T03:18:22 1711768702"><a href="item?id=39871536">11 months ago</a></span> <span id="unv_39871536"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39870756" class="clicky" aria-hidden="true">parent</a> | <a href="#39869580" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871536" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I’ve long thought that those “this new version fixes bugs and improves user experience” patch notes that Meta et al copy and paste on every release shouldn’t be permitted.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39873972'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39873972' href='vote?id=39873972&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=nebula8804" class="hnuser">nebula8804</a> <span class="age" title="2024-03-30T11:52:25 1711799545"><a href="item?id=39873972">11 months ago</a></span> <span id="unv_39873972"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39871536" class="clicky" aria-hidden="true">parent</a> | <a href="#39880715" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39873972" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Tell me about it. I look at all these random updates that get pushed to my mobile phone and they all pretty much have that kind of fluff in the description. Apple/Android should take some steps to improve this or outright ban this practice. In terms of importance to them though I imagine this is pretty low on the list.<p>I have dreamed about an automated LLM system that can "diff" the changes out of the binary and provide some insight. You know give back a tiny bit of power to the user. I'll keep dreaming.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39920869'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39920869' href='vote?id=39920869&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Nullabillity" class="hnuser">Nullabillity</a> <span class="age" title="2024-04-03T18:09:20 1712167760"><a href="item?id=39920869">11 months ago</a></span> <span id="unv_39920869"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39873972" class="clicky" aria-hidden="true">parent</a> | <a href="#39880715" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39920869" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It's worse, as someone who <i>does</i> try to privide release notes I'm often cut off by the max length of the field. And even <i>then</i>, Play only shows you the notes for the latest version of the app.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39880715'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39880715' href='vote?id=39880715&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=fl0ki" class="hnuser">fl0ki</a> <span class="age" title="2024-03-31T02:12:20 1711851140"><a href="item?id=39880715">11 months ago</a></span> <span id="unv_39880715"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39871536" class="clicky" aria-hidden="true">parent</a> | <a href="#39873972" class="clicky" aria-hidden="true">prev</a> | <a href="#39869580" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39880715" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Slack's Mac app release notes [1] rotate a few copy pastes, here's the one that shits me the most.<p>> We tuned up the engine and gave the interiors a thorough clean. Everything is now running smoothly again.<p>Yeah nah mate, if every release is the first release where everything is running smoothly, I'm not going to believe it this time either.<p>Makes me wonder if the team has some release quota to fill and will push a build even if nothing meaningful has actually changed.<p>[1] <a href="https://slack.com/release-notes/mac" rel="nofollow">https://slack.com/release-notes/mac</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39885032'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39885032' href='vote?id=39885032&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=SilasX" class="hnuser">SilasX</a> <span class="age" title="2024-03-31T15:18:18 1711898298"><a href="item?id=39885032">11 months ago</a></span> <span id="unv_39885032"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">root</a> | <a href="#39880715" class="clicky" aria-hidden="true">parent</a> | <a href="#39869580" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39885032" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Ugh. That's especially annoying because they're trying to be hip with slang and use a metaphor that requires cultural knowledge that you can't really assume everyone has.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869580'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39869580' href='vote?id=39869580&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=mongol" class="hnuser">mongol</a> <span class="age" title="2024-03-29T22:16:21 1711750581"><a href="item?id=39869580">11 months ago</a></span> <span id="unv_39869580"></span> <span class='navs'> | <a href="#39869132" class="clicky" aria-hidden="true">prev</a> | <a href="#39867822" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869580" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Interesting that one of the commits commented on update of the test file that it was for better reproducibility for having been generated by a fixed random seed (although how goes unmentioned). For the future, random test data better be generated as part of the build, rather than being committed as opaque blobs...</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875370'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39875370' href='vote?id=39875370&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=WhyNotHugo" class="hnuser">WhyNotHugo</a> <span class="age" title="2024-03-30T14:44:54 1711809894"><a href="item?id=39875370">11 months ago</a></span> <span id="unv_39875370"></span> <span class='navs'> | <a href="#39869580" class="clicky" aria-hidden="true">parent</a> | <a href="#39867822" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875370" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I agree on principle, but sometimes programmatic generating test data is not so easy.<p>E.g.: I have a specific JPEG committed into a repository because it triggers a specific issue when reading its metadata. It's not just _random_ data, but specific bogus data.<p>But yeah, if the test blob is purely random, then you can just commit a seed and generate in during tests.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39867822'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39867822' href='vote?id=39867822&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=smeehee" class="hnuser">smeehee</a> <span class="age" title="2024-03-29T19:10:54 1711739454"><a href="item?id=39867822">11 months ago</a></span> <span id="unv_39867822"></span> <span class='navs'> | <a href="#39869580" class="clicky" aria-hidden="true">prev</a> | <a href="#39870368" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867822" n="9" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Debian have reverted xz-utils (in unstable) to 5.4.5 – actual version string is “5.6.1+really5.4.5-1”. So presumably that version's safe; we shall see…</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870831'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39870831' href='vote?id=39870831&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=xorcist" class="hnuser">xorcist</a> <span class="age" title="2024-03-30T01:04:41 1711760681"><a href="item?id=39870831">11 months ago</a></span> <span id="unv_39870831"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">parent</a> | <a href="#39874798" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870831" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Is that version truly vetted? "Jia Tan" has been the official maintainer since 5.4.3, could have pushed code under any other pseudonym, and controls the signing keys. I would have felt better about reverting farther back, xz hasn't had any breaking changes for a long time.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870975'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39870975' href='vote?id=39870975&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=tobias2014" class="hnuser">tobias2014</a> <span class="age" title="2024-03-30T01:28:24 1711762104"><a href="item?id=39870975">11 months ago</a></span> <span id="unv_39870975"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">root</a> | <a href="#39870831" class="clicky" aria-hidden="true">parent</a> | <a href="#39870915" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870975" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It looks like this is being discussed, with a complication of additional symbols that were introduced <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024" rel="nofollow">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871835'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39871835' href='vote?id=39871835&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=binkHN" class="hnuser">binkHN</a> <span class="age" title="2024-03-30T04:28:10 1711772890"><a href="item?id=39871835">11 months ago</a></span> <span id="unv_39871835"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">root</a> | <a href="#39870975" class="clicky" aria-hidden="true">parent</a> | <a href="#39870915" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871835" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Thanks for this! I found this URL in the thread very interesting!<p><a href="https://www.nongnu.org/lzip/xz_inadequate.html" rel="nofollow">https://www.nongnu.org/lzip/xz_inadequate.html</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872305'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39872305' href='vote?id=39872305&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=mehdix" class="hnuser">mehdix</a> <span class="age" title="2024-03-30T06:14:35 1711779275"><a href="item?id=39872305">11 months ago</a></span> <span id="unv_39872305"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">root</a> | <a href="#39871835" class="clicky" aria-hidden="true">parent</a> | <a href="#39870915" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872305" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It is an excellent technical write-up and yet again another testimonial to the importance of keeping things simple.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872772'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39872772' href='vote?id=39872772&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=userbinator" class="hnuser">userbinator</a> <span class="age" title="2024-03-30T07:54:26 1711785266"><a href="item?id=39872772">11 months ago</a></span> <span id="unv_39872772"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">root</a> | <a href="#39872305" class="clicky" aria-hidden="true">parent</a> | <a href="#39870915" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872772" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c5A">The other comments here showing that the backdoor was a long-term effort now make me wonder just <i>how</i> long of an effort it was...</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870915'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39870915' href='vote?id=39870915&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=rnmkr" class="hnuser">rnmkr</a> <span class="age" title="2024-03-30T01:18:58 1711761538"><a href="item?id=39870915">11 months ago</a></span> <span id="unv_39870915"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">root</a> | <a href="#39870831" class="clicky" aria-hidden="true">parent</a> | <a href="#39870975" class="clicky" aria-hidden="true">prev</a> | <a href="#39874798" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870915" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It's not only that account, other maintainer has been pushing the same promotion all over the place.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874798'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39874798' href='vote?id=39874798&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=sgarland" class="hnuser">sgarland</a> <span class="age" title="2024-03-30T13:42:50 1711806170"><a href="item?id=39874798">11 months ago</a></span> <span id="unv_39874798"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">parent</a> | <a href="#39870831" class="clicky" aria-hidden="true">prev</a> | <a href="#39872902" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874798" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">TIL that +really is a canonical string. [0]<p>[0]: <a href="https://www.debian.org/doc/debian-policy/ch-controlfields.html#epochs-should-be-used-sparingly" rel="nofollow">https://www.debian.org/doc/debian-policy/ch-controlfields.ht...</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872902'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39872902' href='vote?id=39872902&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=kzrdude" class="hnuser">kzrdude</a> <span class="age" title="2024-03-30T08:21:02 1711786862"><a href="item?id=39872902">11 months ago</a></span> <span id="unv_39872902"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">parent</a> | <a href="#39874798" class="clicky" aria-hidden="true">prev</a> | <a href="#39870368" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872902" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">There are suggestions to roll back further</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870368'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39870368' href='vote?id=39870368&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=drazk" class="hnuser">drazk</a> <span class="age" title="2024-03-29T23:58:06 1711756686"><a href="item?id=39870368">11 months ago</a></span> <span id="unv_39870368"></span> <span class='navs'> | <a href="#39867822" class="clicky" aria-hidden="true">prev</a> | <a href="#39869810" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870368" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">After reading the original post by Andres Freund, <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" rel="nofollow">https://www.openwall.com/lists/oss-security/2024/03/29/4</a>, his analysis indicates that the RSA_public_decrypt function is being redirected to the malware code. Since RSA_public_decrypt is only used in the context of RSA public key - private key authentication, can we reasonably conclude that the backdoor does not affect username-password authentication?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874007'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39874007' href='vote?id=39874007&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=cbolton" class="hnuser">cbolton</a> <span class="age" title="2024-03-30T11:57:22 1711799842"><a href="item?id=39874007">11 months ago</a></span> <span id="unv_39874007"></span> <span class='navs'> | <a href="#39870368" class="clicky" aria-hidden="true">parent</a> | <a href="#39869810" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874007" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Isn't it rather that the attacker can log in to the compromised server by exploiting the RSA code path?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869810'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39869810' href='vote?id=39869810&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=api" class="hnuser">api</a> <span class="age" title="2024-03-29T22:42:20 1711752140"><a href="item?id=39869810">11 months ago</a></span> <span id="unv_39869810"></span> <span class='navs'> | <a href="#39870368" class="clicky" aria-hidden="true">prev</a> | <a href="#39869325" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869810" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I’m surprised there isn’t way more of this stuff. The supply chain is so huge and therefore represents so much surface area.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871349'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39871349' href='vote?id=39871349&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=SoftTalker" class="hnuser">SoftTalker</a> <span class="age" title="2024-03-30T02:39:03 1711766343"><a href="item?id=39871349">11 months ago</a></span> <span id="unv_39871349"></span> <span class='navs'> | <a href="#39869810" class="clicky" aria-hidden="true">parent</a> | <a href="#39874495" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871349" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">There probably is. Way more than anyone knows. I bet every major project on github is riddled with state actors.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874495'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39874495' href='vote?id=39874495&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=cozzyd" class="hnuser">cozzyd</a> <span class="age" title="2024-03-30T13:05:25 1711803925"><a href="item?id=39874495">11 months ago</a></span> <span id="unv_39874495"></span> <span class='navs'> | <a href="#39869810" class="clicky" aria-hidden="true">parent</a> | <a href="#39871349" class="clicky" aria-hidden="true">prev</a> | <a href="#39869325" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874495" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Imagine if sshd was distributed by PyPI or cargo or npm instead of by a distro.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869325'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39869325' href='vote?id=39869325&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=kapouer" class="hnuser">kapouer</a> <span class="age" title="2024-03-29T21:42:06 1711748526"><a href="item?id=39869325">11 months ago</a></span> <span id="unv_39869325"></span> <span class='navs'> | <a href="#39869810" class="clicky" aria-hidden="true">prev</a> | <a href="#39871817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869325" n="12" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Github accounts of both xz maintainers have been suspended.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869355'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39869355' href='vote?id=39869355&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=miduil" class="hnuser">miduil</a> <span class="age" title="2024-03-29T21:45:32 1711748732"><a href="item?id=39869355">11 months ago</a></span> <span id="unv_39869355"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">parent</a> | <a href="#39881935" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869355" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Not true, the original author wasn't suspended: <a href="https://github.com/Larhzu">https://github.com/Larhzu</a><p><a href="https://github.com/JiaT75">https://github.com/JiaT75</a> was suspended for a moment, but isn't anymore?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871216'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39871216' href='vote?id=39871216&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=FridgeSeal" class="hnuser">FridgeSeal</a> <span class="age" title="2024-03-30T02:13:59 1711764839"><a href="item?id=39871216">11 months ago</a></span> <span id="unv_39871216"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39869355" class="clicky" aria-hidden="true">parent</a> | <a href="#39869381" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871216" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">GitHub’s UI has been getting notoriously bad for showing consistent and timely information lately, could be an issue stemming from that.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871911'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39871911' href='vote?id=39871911&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=justinclift" class="hnuser">justinclift</a> <span class="age" title="2024-03-30T04:49:03 1711774143"><a href="item?id=39871911">11 months ago</a></span> <span id="unv_39871911"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39871216" class="clicky" aria-hidden="true">parent</a> | <a href="#39869381" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871911" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Yeah. Had a weird problem last week where GitHub was serving old source code from the raw url when using curl, but showing the latest source when coming from a browser.<p><i>Super</i> frustrating when trying to develop automation. :(</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869381'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39869381' href='vote?id=39869381&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=boutique" class="hnuser">boutique</a> <span class="age" title="2024-03-29T21:48:41 1711748921"><a href="item?id=39869381">11 months ago</a></span> <span id="unv_39869381"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39869355" class="clicky" aria-hidden="true">parent</a> | <a href="#39871216" class="clicky" aria-hidden="true">prev</a> | <a href="#39881935" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869381" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Both are suspended for me. Check followers on both accounts, both have a suspended pill right next to their names.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39869490'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39869490' href='vote?id=39869490&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=miduil" class="hnuser">miduil</a> <span class="age" title="2024-03-29T22:04:50 1711749890"><a href="item?id=39869490">11 months ago</a></span> <span id="unv_39869490"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39869381" class="clicky" aria-hidden="true">parent</a> | <a href="#39870294" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869490" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Ah, thanks for correcting me there - really weird that this isn't visible from the profile itself. Not even from the organization.<p>The following page for each other show both accounts suspended indeed.<p><a href="https://github.com/Larhzu?tab=following">https://github.com/Larhzu?tab=following</a><p><a href="https://github.com/JiaT75?tab=following">https://github.com/JiaT75?tab=following</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39917870'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39917870' href='vote?id=39917870&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=miduil" class="hnuser">miduil</a> <span class="age" title="2024-04-03T14:20:13 1712154013"><a href="item?id=39917870">11 months ago</a></span> <span id="unv_39917870"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39869490" class="clicky" aria-hidden="true">parent</a> | <a href="#39870294" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39917870" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Lasse's account was restored</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39870294'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39870294' href='vote?id=39870294&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=fargle" class="hnuser">fargle</a> <span class="age" title="2024-03-29T23:47:07 1711756027"><a href="item?id=39870294">11 months ago</a></span> <span id="unv_39870294"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39869381" class="clicky" aria-hidden="true">parent</a> | <a href="#39869490" class="clicky" aria-hidden="true">prev</a> | <a href="#39881935" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39870294" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">github should add a badge for "inject backdoor into core open source infrastructure"</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39915981'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39915981' href='vote?id=39915981&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T11:19:41 1712143181"><a href="item?id=39915981">11 months ago</a></span> <span id="unv_39915981"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39870294" class="clicky" aria-hidden="true">parent</a> | <a href="#39881935" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39915981" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Hey maybe it would get bad actors to come clean trying to get that badge.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39881935'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39881935' href='vote?id=39881935&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=logicziller" class="hnuser">logicziller</a> <span class="age" title="2024-03-31T06:29:31 1711866571"><a href="item?id=39881935">11 months ago</a></span> <span id="unv_39881935"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">parent</a> | <a href="#39869355" class="clicky" aria-hidden="true">prev</a> | <a href="#39871817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39881935" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">These shouldn't be suspended, and neither should their repositories. People might want to dig through the source code. It's okay if they add a warning on the repository, but suspending _everything_ is a stupid thing to do.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39915953'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39915953' href='vote?id=39915953&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T11:16:57 1712143017"><a href="item?id=39915953">11 months ago</a></span> <span id="unv_39915953"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39881935" class="clicky" aria-hidden="true">parent</a> | <a href="#39871817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39915953" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Tools don't read warnings. Of course the information should not be hidden completely but intentionally breaking the download URLs makes sense.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39965022'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39965022' href='vote?id=39965022&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=logicziller" class="hnuser">logicziller</a> <span class="age" title="2024-04-08T00:03:19 1712534599"><a href="item?id=39965022">10 months ago</a></span> <span id="unv_39965022"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">root</a> | <a href="#39915953" class="clicky" aria-hidden="true">parent</a> | <a href="#39871817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39965022" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">This can also be handled relatively easily. They can disable the old links and a new one can be added specifically for the disabled repository. Or even just let the repository be browsable through the interface at least.<p>Simply showing one giant page saying "This respository is disabled" is not helpful in any way.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871817'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39871817' href='vote?id=39871817&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=thayne" class="hnuser">thayne</a> <span class="age" title="2024-03-30T04:23:21 1711772601"><a href="item?id=39871817">11 months ago</a></span> <span id="unv_39871817"></span> <span class='navs'> | <a href="#39869325" class="clicky" aria-hidden="true">prev</a> | <a href="#39872141" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871817" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Do you know if it was actually the commit author, of if their commit access was compromised?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871918'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39871918' href='vote?id=39871918&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=bpye" class="hnuser">bpye</a> <span class="age" title="2024-03-30T04:50:36 1711774236"><a href="item?id=39871918">11 months ago</a></span> <span id="unv_39871918"></span> <span class='navs'> | <a href="#39871817" class="clicky" aria-hidden="true">parent</a> | <a href="#39872141" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871918" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">If it was a compromise it also included the signing keys as the release tarball was modified vs the source available on GitHub.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872141'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39872141' href='vote?id=39872141&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=LispSporks22" class="hnuser">LispSporks22</a> <span class="age" title="2024-03-30T05:39:22 1711777162"><a href="item?id=39872141">11 months ago</a></span> <span id="unv_39872141"></span> <span class='navs'> | <a href="#39871817" class="clicky" aria-hidden="true">prev</a> | <a href="#39866612" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872141" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Nice. I worked on a Linux disto when I was a wee lad and all we did was compute a new md5 and ship it.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr coll' id='39866612'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks nosee"> <center><a id='up_39866612' href='vote?id=39866612&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gigatexal" class="hnuser">gigatexal</a> <span class="age" title="2024-03-29T17:22:25 1711732945"><a href="item?id=39866612">11 months ago</a></span> <span id="unv_39866612"></span> [flagged] <span class='navs'> | <a href="#39872141" class="clicky" aria-hidden="true">prev</a> | <a href="#39881069" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866612" n="10" href="javascript:void(0)">[10 more]</a><span class="onstory"></span> </span> </span></div><br><div class="comment noshow"> <div class="commtext c73">Name and shame this author. They should never be allowed anywhere near any open projects ever again.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866989'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39866989' href='vote?id=39866989&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=0xbadcafebee" class="hnuser">0xbadcafebee</a> <span class="age" title="2024-03-29T17:53:40 1711734820"><a href="item?id=39866989">11 months ago</a></span> <span id="unv_39866989"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">parent</a> | <a href="#39866696" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866989" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Please don't?<p>1. You don't actually know what has been done by whom or why. You don't know if the author intended all of this, or if their account was compromised. You don't know if someone is pretending to be someone else. You don't know if this person was being blackmailed, forced against their will, etc. You don't really know much of anything, except a backdoor was introduced by somebody.<p>2. Assuming the author did do something maliciously, relying on personal reputation is bad security practice. The majority of successful security attacks come from insiders. You have to trust insiders, because <i>someone</i> has to get work done, and you don't know who's an insider attacker until they are found out. It's therefore a best security practice to limit access, provide audit logs, sign artifacts, etc, so you can trace back where an incursion happened, identify poisoned artifacts, remove them, etc. Just saying "let's ostracize Phil and hope this never happens again" doesn't work.<p>3. A lot of today's famous and important security researchers were, at one time or another, absolute dirtbags who did bad things. Human beings are fallible. But human beings can also grow and change. Nobody wants to listen to reason or compassion when their blood is up, so nobody wants to hear this right now. But that's why it needs to be said now. If someone is found guilty beyond a reasonable doubt (that's really the important part...), then name and shame, sure, shame can work wonders. But at some point people need to be given another chance.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39867326'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39867326' href='vote?id=39867326&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gigatexal" class="hnuser">gigatexal</a> <span class="age" title="2024-03-29T18:22:31 1711736551"><a href="item?id=39867326">11 months ago</a></span> <span id="unv_39867326"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39866989" class="clicky" aria-hidden="true">parent</a> | <a href="#39872884" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867326" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">100% fair -- we don't know if their account was compromised or if they meant to do this intentionally.<p>If it were me I'd be doing damage control to clear my name if my account was hacked and abused in this manner.<p>Otherwise if I was doing this knowing full well what would happen then full, complete defederation of me and my ability to contribute to anything ever again should commence -- the open source world is too open to such attacks where things are developed by people who assume good faith actors.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39867550'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39867550' href='vote?id=39867550&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gigatexal" class="hnuser">gigatexal</a> <span class="age" title="2024-03-29T18:45:17 1711737917"><a href="item?id=39867550">11 months ago</a></span> <span id="unv_39867550"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39867326" class="clicky" aria-hidden="true">parent</a> | <a href="#39872884" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867550" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">upon further reflection all 3 of your points are cogent and fair and valid. my original point was a knee-jerk reaction to this. :/</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39869748'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39869748' href='vote?id=39869748&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Biganon" class="hnuser">Biganon</a> <span class="age" title="2024-03-29T22:33:48 1711751628"><a href="item?id=39869748">11 months ago</a></span> <span id="unv_39869748"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39867550" class="clicky" aria-hidden="true">parent</a> | <a href="#39872884" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869748" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Your being able to reflect upon it and analyze your own reaction is rare, valuable and appreciated</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39874413'><td><table border='0'> <tr> <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks"> <center><a id='up_39874413' href='vote?id=39874413&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gigatexal" class="hnuser">gigatexal</a> <span class="age" title="2024-03-30T12:56:43 1711803403"><a href="item?id=39874413">11 months ago</a></span> <span id="unv_39874413"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39869748" class="clicky" aria-hidden="true">parent</a> | <a href="#39872884" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874413" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I think I went through all the stages of grief. Now at the stage of acceptance here’s what I hope: I hope justice is done. Whoever is doing this be they a misguided current black hat (hopefully, future white hat) hacker, or just someone or someones that want to see the world burn or something in between that we see justice. And then forgiveness and acceptance and all that can happen later.<p>Mitnick reformed after he was convicted (whether you think that was warranted or not). Here if these folks are Mitnick’s or bad actors etc let’s get all the facts on the table and figure this out.<p>What’s clear is that we all need to be ever vigilant: that seemingly innocent patch could be part of a more nefarious thing.<p>We’ve seen it before with that university sending patches to the kernel to “test” how well the core team was at security and how well that went over.<p>Anyways. Yeah. Glad you all allowed me to grow. And I learned that I have an emotional connection to open source for better or worse: so much of my life professional and otherwise is enabled by it and so threats to it I guess I take personally.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39872884'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39872884' href='vote?id=39872884&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Kwpolska" class="hnuser">Kwpolska</a> <span class="age" title="2024-03-30T08:16:30 1711786590"><a href="item?id=39872884">11 months ago</a></span> <span id="unv_39872884"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39866989" class="clicky" aria-hidden="true">parent</a> | <a href="#39867326" class="clicky" aria-hidden="true">prev</a> | <a href="#39866696" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872884" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It is reasonable to consider all commits introduced by the backdoor author untrustworthy. This doesn't mean all of it is backdoored, but if they were capable of introducing this backdoor, their code needs scrutiny. I don't care why they did it, whether it's a state-sponsored attack, a long game that was supposed to end with selling a backdoor for all Linux machines out there for bazillions of dollars, or blackmail — this is a serious incident that should eliminate them from open-source contributions and the xz project.<p>There is no requirement to use your real name when contributing to open source projects. The name of the backdoor author ("Jia Tan") might be fake. If it isn't, and if somehow they are found to be innocent (which I doubt, looking at the evidence throughout the thread), they can create a new account with a new fake identity.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866696'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39866696' href='vote?id=39866696&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Lichtso" class="hnuser">Lichtso</a> <span class="age" title="2024-03-29T17:27:33 1711733253"><a href="item?id=39866696">11 months ago</a></span> <span id="unv_39866696"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">parent</a> | <a href="#39866989" class="clicky" aria-hidden="true">prev</a> | <a href="#39881069" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866696" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">They might have burnt the reputation built for this particular pseudonym but what is stopping them from doing it again? They were clearly in it for the long run.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866945'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39866945' href='vote?id=39866945&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=jethro_tell" class="hnuser">jethro_tell</a> <span class="age" title="2024-03-29T17:49:52 1711734592"><a href="item?id=39866945">11 months ago</a></span> <span id="unv_39866945"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39866696" class="clicky" aria-hidden="true">parent</a> | <a href="#39881069" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866945" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">You're assuming that it's even a single person, it's just a gmail address and an avatar with a j icon from a clip art thing.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39867183'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39867183' href='vote?id=39867183&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Lichtso" class="hnuser">Lichtso</a> <span class="age" title="2024-03-29T18:10:40 1711735840"><a href="item?id=39867183">11 months ago</a></span> <span id="unv_39867183"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">root</a> | <a href="#39866945" class="clicky" aria-hidden="true">parent</a> | <a href="#39881069" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867183" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I literally said "they", I know, I know, in English that can also be interpreted as a gender unspecific singular.<p>Anyways, yes it is an interesting question whether he/she is alone or they are a group. Conway's law probably applies here as well. And my hunch in general is that these criminal mad minds operate individually / alone. Maybe they are hired by an agency but I don't count that as a group effort.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39881069'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39881069' href='vote?id=39881069&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=nodesocket" class="hnuser">nodesocket</a> <span class="age" title="2024-03-31T03:18:09 1711855089"><a href="item?id=39881069">11 months ago</a></span> <span id="unv_39881069"></span> <span class='navs'> | <a href="#39866612" class="clicky" aria-hidden="true">prev</a> | <a href="#39916560" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39881069" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Can legal action be taken against the author if it's found he maliciously added the backdoor?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39907722'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39907722' href='vote?id=39907722&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=saltedtangerine" class="hnuser">saltedtangerine</a> <span class="age" title="2024-04-02T16:35:34 1712075734"><a href="item?id=39907722">11 months ago</a></span> <span id="unv_39907722"></span> <span class='navs'> | <a href="#39881069" class="clicky" aria-hidden="true">parent</a> | <a href="#39916560" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39907722" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Good luck with that. We don't even know what country is he from. Probably from China but even if so. Good luck finding him among 1.5 Billions.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39916560'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39916560' href='vote?id=39916560&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=landownersubgrp" class="hnuser">landownersubgrp</a> <span class="age" title="2024-04-03T12:27:34 1712147254"><a href="item?id=39916560">11 months ago</a></span> <span id="unv_39916560"></span> <span class='navs'> | <a href="#39881069" class="clicky" aria-hidden="true">prev</a> | <a href="#39866745" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39916560" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It is not good to take into consideration something with any unreadable text instead of the open text of the programme. It should be excluded.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39866745'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39866745' href='vote?id=39866745&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=yieldcrv" class="hnuser">yieldcrv</a> <span class="age" title="2024-03-29T17:31:29 1711733489"><a href="item?id=39866745">11 months ago</a></span> <span id="unv_39866745"></span> <span class='navs'> | <a href="#39916560" class="clicky" aria-hidden="true">prev</a> | <a href="#39909917" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866745" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I wonder who the target was!</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39871753'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39871753' href='vote?id=39871753&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=juliusdavies" class="hnuser">juliusdavies</a> <span class="age" title="2024-03-30T04:07:29 1711771649"><a href="item?id=39871753">11 months ago</a></span> <span id="unv_39871753"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">parent</a> | <a href="#39878675" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39871753" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Every Linux box inside AWS, Azure, and GCP and other cloud providers that retains the default admin sudo-able user (e.g., “ec2”) and is running ssh on port 22.<p>I bet they intended for their back door to eventually be merged into the base Amazon Linux image.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39876509'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39876509' href='vote?id=39876509&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=throwaway7356" class="hnuser">throwaway7356</a> <span class="age" title="2024-03-30T16:59:21 1711817961"><a href="item?id=39876509">11 months ago</a></span> <span id="unv_39876509"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">root</a> | <a href="#39871753" class="clicky" aria-hidden="true">parent</a> | <a href="#39874273" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39876509" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">You don't need a "ec2" user. A backdoor can just allow root login even when that is disabled for people not using the backdoor.<p>It just requires the SSH port to be reachable unless there is also a callout function (which is risky as people might see the traffic). And with Debian and Fedora covered and the change eventually making its way into Ubuntu and RHEL pretty much everything would have this backdoor.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39874273'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39874273' href='vote?id=39874273&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Bulat_Ziganshin" class="hnuser">Bulat_Ziganshin</a> <span class="age" title="2024-03-30T12:38:55 1711802335"><a href="item?id=39874273">11 months ago</a></span> <span id="unv_39874273"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">root</a> | <a href="#39871753" class="clicky" aria-hidden="true">parent</a> | <a href="#39876509" class="clicky" aria-hidden="true">prev</a> | <a href="#39878675" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39874273" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">my understanding is that any Debian/RPM-based Linux running sshd would become vulnerable in a year or two. The best equivalent of this exploit is the One Ring.<p>So the really strange thing is why they put so little effort into making this undetectable. All they needed was to make it use less time to check each login attempt.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39875597'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39875597' href='vote?id=39875597&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=kevincox" class="hnuser">kevincox</a> <span class="age" title="2024-03-30T15:12:27 1711811547"><a href="item?id=39875597">11 months ago</a></span> <span id="unv_39875597"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">root</a> | <a href="#39874273" class="clicky" aria-hidden="true">parent</a> | <a href="#39878675" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39875597" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">In the other hand it was very hard to detect. The slow login time was the only thing that gave it away. It more seems like they were so close to being highly successful. In retrospect improving the performance would have been the smart play. But that is one part that went wrong compared to very many that went right.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39878675'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39878675' href='vote?id=39878675&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=njsg" class="hnuser">njsg</a> <span class="age" title="2024-03-30T21:07:23 1711832843"><a href="item?id=39878675">11 months ago</a></span> <span id="unv_39878675"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">parent</a> | <a href="#39871753" class="clicky" aria-hidden="true">prev</a> | <a href="#39872177" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39878675" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Distro build hosts and distro package maintainers might not be a bad guess. Depends on whether getting this shipped was the final goal. It might have been just the beginning, part of some bootstrapping.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39872177'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39872177' href='vote?id=39872177&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=swagmoney1606" class="hnuser">swagmoney1606</a> <span class="age" title="2024-03-30T05:47:59 1711777679"><a href="item?id=39872177">11 months ago</a></span> <span id="unv_39872177"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">parent</a> | <a href="#39878675" class="clicky" aria-hidden="true">prev</a> | <a href="#39909917" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39872177" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Probably less of an individual and more of an exploit to sell.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39909917'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39909917' href='vote?id=39909917&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=menomatter" class="hnuser">menomatter</a> <span class="age" title="2024-04-02T19:31:25 1712086285"><a href="item?id=39909917">11 months ago</a></span> <span id="unv_39909917"></span> <span class='navs'> | <a href="#39866745" class="clicky" aria-hidden="true">prev</a> | <a href="#39867115" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39909917" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">his account is active again on github <a href="https://github.com/JiaT75">https://github.com/JiaT75</a></div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39867115'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39867115' href='vote?id=39867115&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=KingOfCoders" class="hnuser">KingOfCoders</a> <span class="age" title="2024-03-29T18:03:29 1711735409"><a href="item?id=39867115">11 months ago</a></span> <span id="unv_39867115"></span> <span class='navs'> | <a href="#39909917" class="clicky" aria-hidden="true">prev</a> | <a href="#39866433" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867115" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Sleeper.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr coll' id='39866433'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks nosee"> <center><img src="s.gif" height="1" width="14"></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=coding123" class="hnuser">coding123</a> <span class="age" title="2024-03-29T17:08:54 1711732134"><a href="item?id=39866433">11 months ago</a></span> <span id="unv_39866433"></span> <span class='navs'> | <a href="#39867115" class="clicky" aria-hidden="true">prev</a> | <a href="#39866999" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866433" n="9" href="javascript:void(0)">[9 more]</a><span class="onstory"></span> </span> </span></div><br><div class="comment noshow"> [flagged] <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866472'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39866472' href='vote?id=39866472&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=zb3" class="hnuser">zb3</a> <span class="age" title="2024-03-29T17:11:48 1711732308"><a href="item?id=39866472">11 months ago</a></span> <span id="unv_39866472"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">parent</a> | <a href="#39866999" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866472" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c5A">Not sure why are people downvoting you... it's pretty unlikely that various Chinese IoT companies would just decide it's cool to add a backdoor, which clearly implies that no matter how good their intentions are, they simply might have no other choice.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866574'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39866574' href='vote?id=39866574&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=gpm" class="hnuser">gpm</a> <span class="age" title="2024-03-29T17:19:41 1711732781"><a href="item?id=39866574">11 months ago</a></span> <span id="unv_39866574"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866472" class="clicky" aria-hidden="true">parent</a> | <a href="#39866939" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866574" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">There are roughly speaking two possibilities here:<p>1. His machine was compromised, he wasn't at fault past having less than ideal security (a sin we are all guilty of). His country or origin/residence is of no importance and doxing him isn't fair to him.<p>2. This account was malicious. There's no reason we should believe that the identity behind wasn't fabricated. The country of origin/residence is likely falsified.<p>In neither case is trying to investigate who he is on a public forum likely to be productive. In both cases there's risk of aiming an internet mob at some innocent person who was 'set up'.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39867114'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39867114' href='vote?id=39867114&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=rjzzleep" class="hnuser">rjzzleep</a> <span class="age" title="2024-03-29T18:03:28 1711735408"><a href="item?id=39867114">11 months ago</a></span> <span id="unv_39867114"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866574" class="clicky" aria-hidden="true">parent</a> | <a href="#39866765" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867114" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">The back door is in the upstream GitHub tarball. The most obvious way to get stuff there is by compromising an old style GitHub token. The new style GitHub tokens are much better but it’s somewhat intransparent what options you need. Most people also don’t use expiring tokens. The authors seems to have a lot of oss contributions, so probably an easy target to choose.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866765'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39866765' href='vote?id=39866765&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=zb3" class="hnuser">zb3</a> <span class="age" title="2024-03-29T17:33:12 1711733592"><a href="item?id=39866765">11 months ago</a></span> <span id="unv_39866765"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866574" class="clicky" aria-hidden="true">parent</a> | <a href="#39867114" class="clicky" aria-hidden="true">prev</a> | <a href="#39916031" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866765" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Why do you exclude the possibility that this person was forced to add this at gunpoint?</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866863'><td><table border='0'> <tr> <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks"> <center><a id='up_39866863' href='vote?id=39866863&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=encoderer" class="hnuser">encoderer</a> <span class="age" title="2024-03-29T17:40:47 1711734047"><a href="item?id=39866863">11 months ago</a></span> <span id="unv_39866863"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866765" class="clicky" aria-hidden="true">parent</a> | <a href="#39916031" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866863" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Yes exactly this. How do people think state actors have all those 0 day exploits. Excellent research? No! They are adding them themselves!</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39916031'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39916031' href='vote?id=39916031&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T11:28:01 1712143681"><a href="item?id=39916031">11 months ago</a></span> <span id="unv_39916031"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866574" class="clicky" aria-hidden="true">parent</a> | <a href="#39866765" class="clicky" aria-hidden="true">prev</a> | <a href="#39866939" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39916031" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">I think the letters+numbers naming scheme for both the main account and the sockpuppets used to get him access to xz and the versions into distros is a strong hint at (2). Taking over xz maintainership without any history of open source contributions is also suspicious.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866939'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks"> <center><a id='up_39866939' href='vote?id=39866939&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=noncoml" class="hnuser">noncoml</a> <span class="age" title="2024-03-29T17:49:00 1711734540"><a href="item?id=39866939">11 months ago</a></span> <span id="unv_39866939"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866472" class="clicky" aria-hidden="true">parent</a> | <a href="#39866574" class="clicky" aria-hidden="true">prev</a> | <a href="#39866999" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866939" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Because it’s naive to think that the owner of the account used his real identity.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39866971'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39866971' href='vote?id=39866971&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=zb3" class="hnuser">zb3</a> <span class="age" title="2024-03-29T17:52:30 1711734750"><a href="item?id=39866971">11 months ago</a></span> <span id="unv_39866971"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">root</a> | <a href="#39866939" class="clicky" aria-hidden="true">parent</a> | <a href="#39866999" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866971" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">But my point is that people living in China might be "forced" to do such things, so we unfortunately can't ignore the country. Of course, practically this is problematic since the country can be faked</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr coll' id='39866999'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks nosee"> <center><img src="s.gif" height="1" width="14"></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=sorokod" class="hnuser">sorokod</a> <span class="age" title="2024-03-29T17:54:29 1711734869"><a href="item?id=39866999">11 months ago</a></span> <span id="unv_39866999"></span> <span class='navs'> | <a href="#39866433" class="clicky" aria-hidden="true">prev</a> | <a href="#39868153" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39866999" n="3" href="javascript:void(0)">[3 more]</a><span class="onstory"></span> </span> </span></div><br><div class="comment noshow"> [flagged] <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39867064'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39867064' href='vote?id=39867064&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=matheusmoreira" class="hnuser">matheusmoreira</a> <span class="age" title="2024-03-29T17:58:56 1711735136"><a href="item?id=39867064">11 months ago</a></span> <span id="unv_39867064"></span> <span class='navs'> | <a href="#39866999" class="clicky" aria-hidden="true">parent</a> | <a href="#39868153" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867064" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">Don't blame the guy. Could have happened to anyone. Even you.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr coll noshow' id='39867988'><td><table border='0'> <tr> <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks nosee"> <center><img src="s.gif" height="1" width="14"></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=sorokod" class="hnuser">sorokod</a> <span class="age" title="2024-03-29T19:25:17 1711740317"><a href="item?id=39867988">11 months ago</a></span> <span id="unv_39867988"></span> <span class='navs'> | <a href="#39866999" class="clicky" aria-hidden="true">root</a> | <a href="#39867064" class="clicky" aria-hidden="true">parent</a> | <a href="#39868153" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39867988" n="2" href="javascript:void(0)">[2 more]</a><span class="onstory"></span> </span> </span></div><br><div class="comment noshow"> [flagged] <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr noshow' id='39869987'><td><table border='0'> <tr> <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks"> <center><a id='up_39869987' href='vote?id=39869987&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=dang" class="hnuser">dang</a> <span class="age" title="2024-03-29T23:04:00 1711753440"><a href="item?id=39869987">11 months ago</a></span> <span id="unv_39869987"></span> <span class='navs'> | <a href="#39866999" class="clicky" aria-hidden="true">root</a> | <a href="#39867988" class="clicky" aria-hidden="true">parent</a> | <a href="#39868153" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="39869987" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">It's uncharitable and comes across as a personal attack, which is not allowed in HN comments.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39868153'><td><table border='0'> <tr> <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks"> <center><a id='up_39868153' href='vote?id=39868153&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=Jommi" class="hnuser">Jommi</a> <span class="age" title="2024-03-29T19:41:14 1711741274"><a href="item?id=39868153">11 months ago</a></span> <span id="unv_39868153"></span> <span class='navs'> | <a href="#39866999" class="clicky" aria-hidden="true">prev</a> <a class="togg clicky" id="39868153" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext cCE">the account was either sold or stolen</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> <tr class='athing comtr' id='39916064'><td><table border='0'> <tr> <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks"> <center><a id='up_39916064' href='vote?id=39916064&how=up&goto=item%3Fid%3D39866275'><div class='votearrow' title='upvote'></div></a></center> </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead"> <a href="user?id=account42" class="hnuser">account42</a> <span class="age" title="2024-04-03T11:32:18 1712143938"><a href="item?id=39916064">11 months ago</a></span> <span id="unv_39916064"></span> <span class='navs'> | <a href="#39868153" class="clicky" aria-hidden="true">parent</a> <a class="togg clicky" id="39916064" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span> </span> </span></div><br><div class="comment"> <div class="commtext c00">That's pure speculation and there are plenty of hints to the contrary.</div> <div class='reply'> <p><font size="1"> </font> </div></div></td></tr> </table></td></tr> </table> <br><br> </td></tr> <tr><td><img src="s.gif" height="10" width="0"><table width="100%" cellspacing="0" cellpadding="1"><tr><td bgcolor="#ff6600"></td></tr></table><br> <center>Join us for <a href="https://events.ycombinator.com/ai-sus"><u>AI Startup School</u></a> this June 16-17 in San Francisco!</center><br> <center><span class="yclinks"><a href="newsguidelines.html">Guidelines</a> | <a href="newsfaq.html">FAQ</a> | <a href="lists">Lists</a> | <a href="https://github.com/HackerNews/API">API</a> | <a href="security.html">Security</a> | <a href="https://www.ycombinator.com/legal/">Legal</a> | <a href="https://www.ycombinator.com/apply/">Apply to YC</a> | <a href="mailto:hn@ycombinator.com">Contact</a></span><br><br> <form method="get" action="//hn.algolia.com/">Search: <input type="text" name="q" size="17" autocorrect="off" spellcheck="false" autocapitalize="off" autocomplete="off"></form></center></td></tr> </table></center></body> <script type='text/javascript' src='hn.js?XYhOlxRBVkdDcppwPBZc'></script> </html>