Announcement

**Noitatsidem** · 03 April 2024, 11:57 AM

This is sad news. I feel really bad for the developer who got bullied into letting the backdoor dev onto the team. News like this has got to really sting.

**OneTimeShot** · 03 April 2024, 12:22 PM

It’s not about trust - it’s about stability. Everyone rushes to switch to $NEW_SHINY.

zlib had years of auditing. There should be no new development on these libraries. It compresses. It decompresses. It’s done.

**LtdJorge** · 03 April 2024, 12:24 PM

Originally posted by OneTimeShot View Post

zlib had years of auditing. There should be no new development on these libraries. It compresses. It decompresses. It’s done.

I really hope you're trolling.

**milkylainen** · 03 April 2024, 01:06 PM

Everyone seems to overlook that the same guy also made contributions to zstd...

**caligula** · 03 April 2024, 01:11 PM

Originally posted by Robust0522 View Post

It's a sad story. Lasse Collin developed and maintained Xz as an open source compression tool for well over a decade until mental health issues set in. His reward is to be remembered as the guy who allowed a malicious actor to introduce a backdoor into the software which could easily not have been caught. Not a great advertisement for being an open source maintainer.

The 10^8 companies using his library could have paid more than 0 USD for his work. That would have helped with the health service bills as well.

**milkylainen** · 03 April 2024, 01:11 PM

Originally posted by Robust0522 View Post

It's a sad story. Lasse Collin developed and maintained Xz as an open source compression tool for well over a decade until mental health issues set in. His reward is to be remembered as the guy who allowed a malicious actor to introduce a backdoor into the software which could easily not have been caught. Not a great advertisement for being an open source maintainer.

It very much is. But everyone is focused on the shit bits. The same malicious operator also made contributions to zstd.
And a whole lot of other repos. Open source relies on the good nature of people and is easily exploitable.
Not to say that they won't catch any wrongdoings. But whatcha gonna do about it? Anonymous acconts...

This will happen again and again and again. We'll be ever so lucky to catch them before they cause more harm.

**milkylainen** · 03 April 2024, 01:14 PM

Originally posted by Weasel View Post

ZSTD is more trustworthy? What in the world?!? You're telling me you're trusting mfing Facebook more?

Also that the same accounts made contributions to zstd.
xz just happened to be the target. I bet there are a lot more out there in the wild.
Malicious operators have almost nothing to loose. Esp. if they're state sponsored.
Risk of getting caught. Almost zero.

**Trevelyan** · 03 April 2024, 01:20 PM

Did anyone review zstd build test scripts? Do we really think what was done in xz was a unique case?

**dralley** · 03 April 2024, 01:52 PM

What contributions did they make to Zstd? Because I don't see any. They forked the repo, sure, maybe they pushed commits to their own branches, but I don't see any commits, issues or pull requests associated with them upstream.

**Draget** · 03 April 2024, 02:54 PM

Originally posted by varikonniemi View Post

xz should be abandoned. Upstream malaiciousness alone is kind of unforgivable, but from what i have read the format itself is poorly and overly engineered.

You are a despicable and pitiful being.

Throwing a dedicated, talented and struggling developer together with a malicious, year-long planned, targeted and potentially state-actor based attack is not only wrong, but also obnoxious fud.

(I agree with Theo on that one: https://www.youtube.com/watch?v=0pT-dWpmwhA)

That being said, it is nice to see zstd adoption.

Announcement

Fwupd Switches From XZ To Zstd Compression: More Trust & Slightly Better Performance

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment