Hah, that's such a big assumption, so they just... read over the source code if any random app you download from the internet huh? There are no viruses at all on their systems huh?

Not even the ones made by themselves?

This is a riot, now you're not wrong about this being a problem. Nobody really has time to read every single line of code for every single program in their computer. We might be able to get AI to do it at some point, but AI will always be fallible, maybe less fallible than uss, but fallible still.

As things stand though, because linux distros almost entirely rely on open source packages, every single user has equal opportunity to find out about things like this, and when they do it gets reported, and it's as we see, so we all had compromised systems for 3-4 weeks? Sure, but at least it was only 3-4 weeks and not 'until you install something else than windows'.

Yeah I saw the commit from the day before, but I don't buy it. Security teams usually know this kind of issues in advance and I find the coincidence pretty convenient to be a chance. By the way Arch wasn't even vulnerable in the first place because it doesn't patch sshd for libsystemd.

By the same token you can make an argument that Google/Apple/MS distribute malware via their App Stores. No, that's not what I meant and if I didn't make myself clear at first, I'll make it clear now: I only meant software which is developed, distributed publicly and signed by these three companies.

"Distributed publicly" is also quite important. I can imagine all three companies have security researchers/engineers who have written exploits/malware/viruses just for fun and for testing purposes.

Here's the full story: https://grahamcluley.com/microsoft-stab-macro-viruses/ https://www.cnet.com/deals/the-88-be...ill-remaining/

Not really malware, more like a stupid joke perhaps from someone who was heavily reprimanded. I'm still thankful you've unearthed it as I never knew about it. It was back from the time when the Internet wasn't yet a thing.

Here we are talking about a freaking backdoor to access a system remotely.

Linux distribution also did not develop xz.

Linux distributions do not develop anything by the same token. Except very special ones like RHEL. It's 100% orthogonal to this discussion.

XZ is included by default and is an essential/integral part of the vast majority of Linux distros. You can say it's Linux software.

You have to also consider there are much more Windows users that are not tech savy and do not even know how to Google for solution. They might not even know updates were installed.

Many Linux users are essentially running development versions on custom configuration that is not even possible on Windows.

By your definition Linux distributions are not responsible for any backdoor, if they did not develop it.

XZ is distributed directly by Linux distros.

We are dealing with a major compromise which could have affected the vast majority of distros, if it hadn't been discovered by a Microsoft engineer, and you're talking as if "XZ is not part of Linux distors and it's not a fucking issue". Great. No idea what you're arguing about but you have won.

Meanwhile I've left my proposal for Fedora: https://pagure.io/fesco/issue/3185 I'm sure it will be swept under the rag: "Not our issue/not enough resources/no one cares".

sophisticles is avis' sock puppet.

So it must be (developed and distributed and signed off) or just distributed "directly"?

I'm sure you will keep changing rules so that Microsoft never had backdoor and backdoors are limited to open source.

No proof of backdoor in Windows does not proof there is no backdoor in Windows.

It would be best to assume everything is potentialy backdoored.