Open mbargull opened 3 months ago
My reading of the upstream discussion is that while everyone is now, of course, maximally suspicious of every line of code the JiaT75
account ever touched, whatever nefarious things may have been done to libarchive are not nearly as direct as the xz changes. The libarchive folks say they're working on a CVE submission and in my view it would be appropriate to follow through on that when it comes along. We absolutely ought to do so expeditiously and thoroughly, but in my view this doesn't appear to be an emergency situation. With that in mind, I think it's better to follow upstream's lead (and/or CVE guidance) than to rush to cook up our own (potentially half-baked ...) rollback patches. If the upstream process somehow gets stuck, then we should reconsider, but at the moment it looks like they're moving swiftly.
@pkgw, that's my understanding as well (from a very shallow look at it, at least).
For libarchive
, I haven't yet seen much evidence that would warrant overhasty actions to be made from our side.
https://github.com/conda-forge/libarchive-feedstock/pull/85 has been opened accordingly.
Comment:
In light of recently added backdoor in
xz
(for versions not packaged by conda-forge!) there have been concerns raised about upstream changes tolibarchive
from the same account . We should determine if we want/need to backport changes from https://github.com/libarchive/libarchive/pull/2101 (and possibly others, if more are added) for builds from this feedstock. This includes not only the shared library, but also the static one consumed by some other feedstocks (which would need to be rebuild too, if patches are deemed necessary).cc @conda-forge/core, @SylvainCorlay, @JohanMabille, @conda-forge/micromamba .