[Feature Request]: Say no to malicious threat actors.

[luke-beep]

Describe the Feature

Remove the compromised part of the xz-utils package. It'd be a great addition for all of us, excluding the threat actors 💯

Check out this PR </>

Expected Complications

No.

Will I try to implement this new feature?

No.

[CaptainFallaway]

Agreed.

[MarkusTieger]

I saw this article a few minutes ago: https://www.openwall.com/lists/oss-security/2024/03/29/4

But for me, i couldn't find anything malicious in the tarballs. There is currently no patch in gentoo, so i would like to create a pr to fix it. But I couldn't reproduce anything from the post.

[luke-beep]

I saw this article a few minutes ago: https://www.openwall.com/lists/oss-security/2024/03/29/4

But for me, i couldn't find anything malicious in the tarballs. There is currently no patch in gentoo, so i would like to create a pr to fix it. But I couldn't reproduce anything from the post.

See the linked PR.

[ghost]

We should really check for stuff like these more. The only reason we know that this stuff exist is because "someone's ssh login time was a 0.5s slower."

[dirkmueller]

@MarkusTieger the payload is in git and therefore in the tarball, but it's not active on systems that aren't deb, rpm and glibc based. So Gentoo isn't directly affected.

Using --disable-ifumc is another mitigation possibility. Or simply downgrade

[MarkusTieger]

@MarkusTieger the payload is in git and therefore in the tarball, but it's not active on systems that aren't deb, rpm and glibc based. So Gentoo isn't directly affected.

Using --disable-ifumc is another mitigation possibility. Or simply downgrade

Well at least on my system i have glibc installed. Arch Linux was also affected (at least they commited a fix), and they don't have a deb or rpm package.

[bnavigator]

Arch Linux was also affected

The kids over there just don't know what they are talking about. Also their "fix" is to use the github repo instead of the tarball. So it still contains lots of puzzle pieces of the backdoor, just not the build trigger which would supposedly not activate in pkgbuild anyway.

[Foxboron]

@bnavigator I hope we can reach a more productive tone in the future.

[luke-beep]

Arch Linux was also affected

The kids over there just don't know what they are talking about. Also their "fix" is to use the github repo instead of the tarball. So it still contains lots of puzzle pieces of the backdoor, just not the build trigger which would supposedly not activate in pkgbuild anyway.

Hey, could you maybe chill out a bit? I get you're upset, but let's try to keep the tone civil. We're all just trying to sort this out together.