Tweet
Originally posted by EphemeralEft
View Post
-
It seems pretty obvious that this "someone else" (Jia Tan) only started contributing to the project with the backdoor being the intended long game. XZ was basically a golden egg for nation state backed APT groups. It's installed by default in all the major enterprise distros and liblzma gets linked against by important shit. The original author was struggling with some real life issues and didn't have time to dedicate to the project and needed to find other maintainers. Voila. A new contributor appears. Jia will likely end up being some pseudonym of course, with potentially multiple real world actors involved in the commits they made. Software supply chain attacks are only going to pick up steam over the next several years. -
Most Chinese don't care about the situation in Ukraine, and China didn't put any stakes in it (by continuing to trade with Russia and also not known to be supplying weapons to any side). In fact, the Taiwan strait problem is a lot more hyped in China (broad sense), and Taiwan intelligence is one of the top suspects if it is indeed a state-level actor.Originally posted by caligulaComment
-
The repo was disabled because it's now a matter national security. NSA/CIA/FBI have full access though because they need to trace every IP and every interaction.
Had this not been discovered and quite serendipitously so, the hackers behind this attack could have compromised RHEL, Ubuntu, SLES and oh boy this is some extremely serious stuff.Comment
-
This has nothing to do with LZMA, it's just an issue with XZ. No point in abandoning LZMA in favour of zstd (which is very nice, but usually offers worse compression ratio).
There are alternatives, like lzip, which is direct competitor to xz, readily available in most repositories.
Funnily enough, its author claimed long ago that it is a better and safer solution.
Personally, I've switched to excellent lrzip (by Con Kolivas) years ago, it is faster and usually offers better compression ratio than ordinary LZMA compressor.Last edited by sobrus; 30 March 2024, 02:51 AM.Comment
-
Given what we know now, imo the project can never be trusted again if a bad actor was able to become the project lead essentially. That's a whole 'nother level of compromise than a malicious commit slipping into a releaseComment
-
Oh that's adorable GitHub continues their "we know better than you" campaign and shuts down repos before they can cause any of their investors harm.
I'm so glad I moved off of that site. I really don't trust anyone who still hosts there.Comment
-
you going to have to explain that more, because right now you sound like a malware author complaining that github deleted their shit.Originally posted by Ironmask View PostComment
-
i don't really understand the poor ergonomics on zstd command line. it's nothing like compress, gzip, xz, etc which do sensible things like not compress a compressed file and by default remove the original file after compression. that being said, zstd is probably the best choice for someone looking for a change now I hope that it gets as much support as brotli has. Also, it has dictionary support, which I've used. It really can make a big difference for smaller/custom datasets.Originally posted by CommunityMember View PostComment
-
according to https://www.redhat.com/en/blog/urgen...-rawhide-users the problem is a M4 macro, used by autotools. So why not just remove the autotools build system ? Cmake build system is already usable for xz.Comment
-
I think abuse reports have been flooded against Tukaani, xz and Jia Tan for good reason. Maybe this is part of GitHub's automated procedures.Originally posted by Ironmask View PostComment
Comment