That's not good. It'll be interesting to see the fallout. RedHat's writeup states the malicious code is not in the git repo, but only in the download packages. So, did the dev's local box get owned or did the dev go malicious? ie: their build box is compromised?

Wow... at first I figured this was just a bug where a malformed archive could cause a buffer overflow, double free, or something like that. But this is a pretty tricky attack on the source itself that would be hard to detect by the developers who typically would just be pulling directly from git instead of downloading a release tarball.

This wasn't done by an amateur, and XZ along with a lot of other open source projects need to be super careful with monitoring what ends up in the repo.

It's the *source* tarball which contains the final piece of the malicious code, not the binaries. It's no coincidence that starting from today Arch Linux switched to the git tag lol

None of this would have happened if they had completely replaced autotools with CMake in the first place.

Agh, okay. However, still...how do those get "built" without that code being reflected in the actual git repo? I would think that would be even more of a locked down permission to allow those to be uploaded. It would be one thing if everything was 100% in the git repo and some "new developer" pushed some new code that looked good and they snuck in the malicious stuff, but they're sneaking in malicious stuff both in the git repo and different code in the source tarball.

I've been talking about this issue for years and how woeful Linux (in)security is as a result. I knew something like that would happen and it just happened.

Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

What's worse, independent maintainers assigned for packaging , are often not even developers themselves, so they have no means or qualifications to read the code and see if it's still trustworthy. And oftentimes maintainers are in charge of multiple packages, and at the same time it's not their primary job or something they get paid for, so there's little to no interest to make sure things are right.

Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.

Can this issue be solved? I've no idea.

There should be a concerted effort by Linux distros to verify packages and mark them as safe. I've never heard of anything in this regard with the only exception of RHEL which is not a desktop distro and besides they have severely limited their ties to the community.

This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.

Fedora 41 beta users have already "luckily" updated to it.

Which distros? Fedora 41 when Fedora 40 is not even released yet? Rush, verifying source code? Are you fking kidding me? The difference is you can verify code on Linux while you can only dream about this on Windows or macOS. Thanks for reminding me how a total joke Windows 'security' is. That's one of the reasons Windows is slow crap. Backdoors are consuming your CPU time!

Good JOKE! Especially in proprietary apps! Closed source must be prohibited, because of security reasons. Now you're the biggest Open Source advocate and proprietary hater. Thanks! Oh, we can't forget microsoft and apple introduce backdoors themselves.

Excuse me while i laugh....