It is. Time to switch to Zstd and ditch legacy libraries and standards.

I fully agree with you!

Still, sadly, just not gonna happen.
Why?

For normal users and rolling distributions that claim is plausible and perhaps even desirable.
But as soon as any commercial side comes walking in, they will ask long(er) term support. You cannot give long term support on future software so you get long term support on - then current - software. Which will go outdated during the support term. And that is what promoted the existence of old legacy crap that still has to be supported. It's always a commercial - and financial - reason. And if that support is too long it becomes a technical debt reason too which in turn promotes even longer term support as flipping the switch to something new brings too many unknown.

Funny how the world works huh

Too many to count, and many who do not wish to admit to have been compromised.

Yes, you are quite right. Glad you agree.

I do, and I have.

Reference [9] from the above:


and



Also: https://arxiv.org/pdf/1901.01759.pdf

There's a reason why organisations that take security seriously don't do encryption on platforms shared with other organisations.

If you read the publicly available 'Capability Packages' made available by the U.S. National Security Agency, you will see that AES is approved for data-at-rest up to Top Secret: https://www.nsa.gov/Portals/75/docum...sonI-Now%3d%3d

but AES alone is not approved for data in transit - two separate layers of encryption are required: https://www.nsa.gov/Portals/75/docum...0Package%20v2_ 5_1.pdf?ver=A0d5WxyVN23HYsYlTiYo2g%3d%3d
and there are some restrictions on the endpoint devices (EUDs), not least that they need to be under continuous physical control at all times. AES encrypted data is pretty secure: running the encryption algorithm is not because of the opportunities for 'cheating' and extracting the key by 'eavesdropping' on the encryption process. This is partly down to the use of S-boxes in the design.

As for why AES is used: it's a mandated standard if you follow FIPS (which a lot of people do).


You cannot afford my pen-testing services, and we don't have a proper legal agreement.

​
its a binary in the test fiies that compromises make.

This is why I think Linux packaging is a failure right now. The constant "Just fork it!" nature of Linux is spreading resources too thin. Too many different package managers. Too many different software repositories with overworked packagers trying to keep up with the thousands of applications a distro might have. Too many different distributions that are all largely the same except for some very superficial differences.

So as a result, no one is actually taking the time to double check and review things. XZ is a critical core component of many distributions and software packages. If a critical component, and an otherwise stable feature-complete application gets an update, it should be scrutinized to the fullest extent.

Instead of we have spread-thin package maintainers that just vacuum it up without a second thought.

I get that it's difficult to understand what someone else's code is doing, but that's why the KML requires certain standards and comments that clearly explain what the code is trying to do.

For critical components like XZ, maintainers should just flat out reject updates without clear comments that carefully explain what each new addition is doing.

Put this on proper forum and say goodbye. Hack someone's Linux or shut up. When comes to Windows 'security':

That's the spirit! Critical security hole present in windowses for twenty years isn't critical for microsoft! Avis: they take security <seriously>. Yeah, riiight.

http://https://krebsonsecurity.com/2...patch-tuesday/

Yeah, random windows freeware or shareware from all over the net is better.

It didn't make it to the stable Debian, Fedora and Ubuntu, so it's hard to say whether they would have detected it or not.

It seems XZ maintainer isn't interested much in his project. However, you're right. Critical parts of distributions should go under some umbrella.

"it was a central point to discuss" - not it wasn't, it's not a chat nor a forum. The central point is the XZ website, where the original author "Lasse Collin" explains that the other contributor "Jia Tan" signed those 2 tarballs and uploaded them.
As some distros suggested, they might go back ~2 years, before Jia Tan started to contribute to XZ, and start a fork from that point.

It seems the author of the backdoor also contributed suspicious code to the, the more widely integrated, libarchive.

Because that's not smart? The smart thing would have been making that repo read-only and force-release and old version. Saying that the version you have contains malware and shutting down the source is dumb corporate ass-covering.