My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.

But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?

  • lordnikon@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    10 months ago

    only someone running arch or debian sid or an bleeding edge rolling release on an internet exposed ssh port. the idea of that configuration would sound ludicrous. even so we should be building off git repos not tar balls.

    the weird part this situation has made me feel safer. the amount of work that went into social engineering this and it only lasted a month tops for people that run distros that would just not be or should not be used as an exposed server ever.

    it shows open source works. This is more embarrassing than anything and we deserve it. We need to pay core library devs and have a mechanism that core libraries can be handed off to a trusted org.while another upstream maintainer can be found or the project shut down and other projects move away from the un maintained project. When the person maintaining the project gets burned out or has other issues.

      • lordnikon@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        oh 100% i was just taking in general of upstream bleeding edge distro being vulnerable to this kind of upstream attack not specific to xz

      • sploosh@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        10 months ago

        Because Arch was one of the distros that distributed the backdoored xz package, though they claim no vulnerability to due to their implementation.

          • sploosh@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            9
            ·
            10 months ago

            Bruh ask Google the question instead of making a stranger figure it out for you. If you want an answer typed up for you go ask a LLM.

            • vrighter@discuss.tchncs.de
              link
              fedilink
              arrow-up
              5
              arrow-down
              1
              ·
              edit-2
              10 months ago

              I already knew the answer. arch was not affected. hence why i asmed why it kept being mentioned.

              I wasn’t asking if arch was affected. I was asking why you keep regurgitating this clearly wrong information (if you bothered to google it, of course)

              So no, google could not have answered my question. And if you do use llms for answers, I feel sorry for you

              • Pika
                link
                fedilink
                English
                arrow-up
                3
                ·
                edit-2
                10 months ago

                I’m not sure I agree with that, Arch 100% should continue to be mentioned. Just because the Trojan didn’t launch due to the fact that Arch’s environment didn’t meet its criteria, doesn’t mean you should keep a known malicious package on your system.

                People keep preaching to the heavens that Arch was not affected by it, but they don’t always state that Arch was infected by it, it just never binds the library to SSHD like Debian systems do (for systemd notifications) so the attack vector is never made.

                The arch Wiki official statement on it is that you should remove the malicious package and do a full system update. Which should be common sense, but people have to be aware that the system is infected by it in order to know that they have to remove it. A process that if Arch was never mentioned as being involved users wouldn’t think to do