Announcement

Collapse
No announcement yet.

GitHub Disables The XZ Repository Following Today's Malicious Disclosure

Collapse
X
Collapse
 
  • Page of 15
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 12 15 template Next
  • #11
    I saw a link to a mailing list post from 2022 where the maintainer informed people that he was suffering from mental health issues (causing updates to be slower than usual).

    The responses were most unkind, "You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo.​".

    I think it was the new maintainer who did this.

    I wonder how much those original responses lead to this incident.

    EDIT: Link to the mailing list posts: https://www.mail-archive.com/xz-deve.../msg00567.html
    Last edited by You-; 30 March 2024, 12:35 AM.
    • Likes 8

    Comment

    • #12
      Originally posted by roviq View Post
      Hmm, I really like Zstd for things like filesystem/stream/on-the-fly compression (I use it with btrfs and zfs), but XZ, 7zip, and related LZMA-family really does a great work squeezing bytes, and very useful for long term archival and other scenarios.
      Ever since I tested Zstd, it became my default for anything that require quick operation or background activity. It's really that fantastic. On the other hand, as you say, 7z is also my standard for the opposite. I've never used XZ myself. I would like to see integration of 7z format into tar as well.

      • Likes 1

      Comment

      • #13
        Originally posted by byteabit View Post

        Ever since I tested Zstd, it became my default for anything that require quick operation or background activity. It's really that fantastic. On the other hand, as you say, 7z is also my standard for the opposite. I've never used XZ myself. I would like to see integration of 7z format into tar as well.
        7z is an archiver/compressor, it already has tar-like features.
        • Likes 1

        Comment

        • #14
          All I know of xz was it was the thing we used for a short time between the bzip2 and zstd eras.
          • Likes 4

          Comment

          • #15
            Originally posted by jacob View Post

            7z is an archiver/compressor, it already has tar-like features.
            I know (using it very often as my default archiver application). I wish the standard Linux tool `tar` itself had support for 7z files, so I can rely on it. Especially useful when sharing scripts with others that might have not installed 7z.

            Comment

            • #16
              Originally posted by Chugworth View Post
              Until now I wasn't too familiar with XZ. I would think that most system tasks involving compression should just move to Zstd, and if you want to use LZMA for archival then just use 7zip. Personally I've always preferred RAR over 7zip, but these days I don't really use either for archival. The built-in compression and error correction in ZFS is adequate for me, and gives direct access to the file itself. Snapshots allow me to confirm whether or not there have been any changes to the file. For datasets intended for archival, I crank the compression level up to 19. That does make it slower and use more CPU, but that doesn't really matter if I rarely access that dataset.
              Many distros use xz to compress all their kernel modules. And while I know you are referring to the RAR format and not the WinRAR application, the latter had a fun zero day last year.

              Government-backed actors exploiting WinRAR vulnerability
              https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
              Google\u0027s Threat Analysis Group analyzes recent state\u002Dsponsored campaigns exploiting the WinRAR vulnerability, CVE\u002D2023\u002D38831.
              • Likes 7

              Comment

              • #17
                Originally posted by byteabit View Post

                I know (using it very often as my default archiver application). I wish the standard Linux tool `tar` itself had support for 7z files, so I can rely on it. Especially useful when sharing scripts with others that might have not installed 7z.
                I'm not 100% sure but I believe tar doesn't include gz, bz2 or xz support either, rather it invokes them as external tools.
                • Likes 10

                Comment

                • #18
                  Originally posted by You- View Post
                  I saw a link to a mailing list post from 2022 where the maintainer informed people that he was suffering from mental health issues (causing updates to be slower than usual).

                  The responses were most unkind, "You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo.​".

                  I think it was the new maintainer who did this.

                  I wonder how much those original responses lead to this incident.

                  EDIT: Link to the mailing list posts: https://www.mail-archive.com/xz-deve.../msg00567.html
                  As I have hinted in earlier emails, Jia Tan may have a bigger role in
                  the project in the future. He has been helping a lot off-list and is
                  practically a co-maintainer already. :-) I know that not much has
                  happened in the git repository yet but things happen in small steps. In
                  any case some change in maintainership is already in progress at least
                  for XZ Utils.

                  ​Well Jia Tan certainly had a big role to play in XZ's future!
                  • Likes 12

                  Comment

                  • #19
                    Originally posted by You- View Post
                    I saw a link to a mailing list post from 2022 where the maintainer informed people that he was suffering from mental health issues (causing updates to be slower than usual).

                    The responses were most unkind, "You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo.​".

                    I think it was the new maintainer who did this.

                    I wonder how much those original responses lead to this incident.

                    EDIT: Link to the mailing list posts: https://www.mail-archive.com/xz-deve.../msg00567.html
                    I haven't seen any evidence so far that would suggest Lasse Collin was a conspirator to the malware. That reads a lot more like "I'm letting someone else take over for now", and that "someone else" took advantage of their trust.
                    • Likes 6

                    Comment

                    • #20
                      Originally posted by byteabit View Post

                      I know (using it very often as my default archiver application). I wish the standard Linux tool `tar` itself had support for 7z files, so I can rely on it. Especially useful when sharing scripts with others that might have not installed 7z.
                      I'm pretty sure `tar` just pipes the uncompressed output through the standalone compression utilities; you can achieve the exact same output by piping uncompressed `tar` through a standalone compression utility yourself.
                      • Likes 11

                      Comment

                      Previous 1 2 3 4 5 12 15 template Next
                      Working...
                      X