Release 5.7

[erkinalp]

basically 5.6.1 minus backdoor

[thesamesam]

xz does odd/even for dev/stable, so the next series would be 5.8.x. We agree 5.6.x is too toxic as a number and it is discontinued.

The review of the repository is very much underway but I can't give a date yet. When we can put our name on the contents, a new dev release, and then stable release in due course will be made. We are aware of the need for a release, but it is important it is done right.

[aeternesatiatus]

Hey, what if you created a series of 5.6.x releases that would essentially be incremental in the removing of the backdoor? This may sound stupid, but it's mostly for rolling release distros that would rather stick with 5.6.1 rather than downgrade.

[vilari-mickopf]

Backdoor was not activated if you build 5.6.x from the source, only if you build it from release tarballs. So there is no need for incremental releases, just build it from the source (this is what arch has done for example). The issue is that there might be more things that we are not aware of, since the attack was in preparation for years, so xz team is just trying to be extra cautious (which is the right call imo), and they are trying to remove as much as possible (not just jia stuff, but everything that seems unnecessary), before releasing something that they feel comfortable with.

[Mysak0CZ]

Hi! Would it be possible to release this as a both a new minor release if you decide to do so, but also as a patch release (e.g. 5.6.2)?. Some projects auto-update dependency patch versions but do so less frequently for bigger version bumps. This would allow this to happen, if it isn't extra work (of course the security advisory should override any such policy and any project should update to the newest version regardless, but ... )

[aeternesatiatus]

Backdoor was not activated if you build 5.6.x from the source, only if you build it from release tarballs. So there is no need for incremental releases, just build it from the source (this is what arch has done for example). The issue is that there might be more things that we are not aware of, since the attack was in preparation for years, so xz team is just trying to be extra cautious (which is the right call imo), and they are trying to remove as much as possible (not just jia stuff, but everything that seems unnecessary), before releasing something that they feel comfortable with.

I think Arch should rebuild a new 5.6.1-4 in this case The less of the backdoor there is, no matter if active or not, the better it will be.

[emaste]

just build it from the source (this is what arch has done for example).

This is technically true and what we were going to do in FreeBSD. We imported 5.6.0 into the FreeBSD base system, but stripped out the autoconf build infrastructure altogether as well as the compromised test objects so were completely isolated (independent of the attack being limited to specific Linux contexts).

However it is too confusing for downstream projects, auditors, and similar entities who don't understand the notion that the compromised version is included, but not the compromise. Thus we've subsequently rolled back to the previous version and will wait for a new upstream release.

[Neustradamus]

Dear all,

I have received a lot of attacks from people in public and private.

I have contacted @Larhzu about this bad situation against me and he has understood.

It is important to me to inform people again, I have no link with the backdoor author.

I only publish announcements of XZ (not only, look next links) and/or I request new release builds in several projects and/or I request software updates in several projects.

Recently (2024-03-06), I have requested the XZ update to 5.4.5 and 5.6.0 in Microsoft VCPKG project instead 5.4.4, badly no people know that there was a backdoor into 5.6.x branch at this moment. Maybe it permits to Andres Freund, a Microsoft developer, to discover the backdoor.

I propose to have a 5.8.x branch without a backdoor. Odd number can be an unstable branch or a development branch:

• https://en.wikipedia.org/wiki/Software_versioning#Odd-numbered_versions_for_development_releases

Linked to:

• https://github.com/microsoft/vcpkg/issues/37197
• https://tukaani.org/xz-backdoor/
• https://github.com/tukaani-project/xz/issues/103

Example of my XZ Twitter announcements:

• https://twitter.com/neustradamus/status/1559262505674883073
• https://twitter.com/neustradamus/status/1607567545669746688
• https://twitter.com/neustradamus/status/1614386217067372544
• https://twitter.com/neustradamus/status/1640858298898341888
• https://twitter.com/neustradamus/status/1751748794725564846
• https://twitter.com/neustradamus/status/1751748891232403558
• https://twitter.com/neustradamus/status/1774027871712886813
• https://twitter.com/neustradamus/status/1775655656718037422
• https://twitter.com/neustradamus/status/1775892647380734349

You can look and follow me on my social networks:

• https://mastodon.social/@neustradamus
• https://twitter.com/neustradamus
• https://bsky.app/profile/neustradamus.bsky.social
• https://news.ycombinator.com/user?id=neustradamus
• https://www.reddit.com/user/Neustradamus/
• ...

For example, in the past, I have participated to have a new team for Avahi project but at this time, the Avahi project is always UNSECURE because there is no new release build version since 0.8.0 (2020) and a lot of CVEs from 2021 and 2023 have not been fixed. I have requested at several times (and not only me), a new release build etc.

• https://github.com/avahi/avahi/issues/325
• https://github.com/avahi/avahi/issues/430
• https://github.com/avahi/avahi/issues/503

Another one, there is a problem into the mRemoteNG project, several CVEs have not been solved too:

• https://github.com/mRemoteNG/mRemoteNG/issues/1765

In more, there are several dormant/dead projects too that I have tried to wake up with other guys.

[erkinalp]

Odd number can be an unstable branch or a development branch:

It would be an interim release until proper testing of added features are done, hence 5.7

[thesamesam]

@Neustradamus This isn't appropriate here. Please try to avoid leaving lengthy comments which aren't directly related.

[thesamesam]

@erkinalp If it were intended to substitute 5.6.1, then it wouldn't be an unstable release in the way we usually do it. Please just be patient or downgrade. This really brings us back to my earlier comment at https://github.com/tukaani-project/xz/issues/107#issuecomment-2052314081.

[thesamesam]

Hi! Would it be possible to release this as a both a new minor release if you decide to do so, but also as a patch release (e.g. 5.6.2)?. Some projects auto-update dependency patch versions but do so less frequently for bigger version bumps. This would allow this to happen, if it isn't extra work (of course the security advisory should override any such policy and any project should update to the newest version regardless, but ... )

We'll discuss this, but no promises. Thanks for the suggestion.

[eli-schwartz]

@Neustradamus please cease and desist with your social engineering campaign to put pressure on open source projects and harass maintainers into accepting new maintainers (regardless of whether those maintainers are you or someone else).

This is exactly the behavior that a number of people engaged in, playing "bad cop" so that Jia Tan could show up and offer help and be accepted.

It does not reflect well on you.

Assuming you're not a malicious agent, pushing your social media accounts on people with your giant wall of offtopic links is still harassment and unwanted behavior.

@Larhzu @thesamesam please do an organization-level permaban of this spammer, for everyone's sake. People following xz development don't need this, and I somehow doubt this is making your work easier, either.

[Neustradamus]

@thesamesam: Thanks for your answers here but I can not reply on your publications, I have sent you an e-mail about it without an answer from you, it is important to explain to all.

It is linked about your gist where there are a lot ot attacks against me here: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

And there is an another publication from you in this repository about the XZ backdoor:

• https://github.com/tukaani-project/xz/issues/103

My previous message has been hidden, so I recall, I have no link with the XZ author backdoor and I am not a spammer, I only answer to people who attack me like some here and I explain the situation, please look my messages, my announcements, my requests.

Thanks for understanding.

[christoofar]

@thesamesam: Thanks for your answers here but I can not reply on your publications, I have sent you an e-mail about it without an answer from you, it is important to explain to all.

It is linked about your gist where there are a lot ot attacks against me here: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

And there is an another publication from you in this repository about the XZ backdoor:

• Response to backdoor incident #103

My previous message has been hidden, so I recall, I have no link with the XZ author backdoor and I am not a spammer, I only answer to people who attack me like some here and I explain the situation, please look my messages, my announcements, my requests.

Thanks for understanding.

right now you choke your email

[aeternesatiatus]

I think, @thesamesam , it would be more appropriate if you closed the issue. It's not going well.

[Larhzu]

A few questions and thoughts are in the other issue. I'm closing this to keep the discussion in fewer places.