• @[email protected]
      link
      fedilink
      English
      08 months ago

      Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it’s “great new features”. We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.

      He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

      Damn. I would love to see a full post mortem on this compromise.

      • TechNom (nobody)
        link
        fedilink
        English
        08 months ago

        The hack is still not fully understood and is being analyzed. It doesn’t help that Github suspended everything, including the original maintainer’s account (who is believed to be a victim of social engineering).

        Anyway, you will eventually see a post mortem. I’m willing to bet that it’s going to be as phenomenal as the hack itself. The case and its investigation is going to be a classic case study for all security researchers and security-minded users. Anyway, I doubt that the attackers will ever be found. Jia Tan, Jigar Kumar and others are going to remain as ghosts like Satoshi Nakamoto.