Originally posted by vtorri
View Post
Announcement
Collapse
No announcement yet.
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
Collapse
X
-
Disabling the repository was dumb as f*ck. The Arch PKGBUILD, for example, points to it as its upstream. So now if Arch wants to build a good package from an old commit, they can't, because upstream has disappeared.
It's also now needlessly hard for people to analyse the paper trail of commits and discussions, since one has to find a fork or a mirror. And since such forks and mirrors inevitably exist, they're not really blocking access to anything.
GitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely. This makes me think the staff have no idea what they're doing.
- Likes 25
Comment
-
Originally posted by ⲣⲂaggins View PostGitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely.
- Likes 13
Comment
-
Originally posted by ⲣⲂaggins View PostDisabling the repository was dumb as f*ck. The Arch PKGBUILD, for example, points to it as its upstream. So now if Arch wants to build a good package from an old commit, they can't, because upstream has disappeared.
It's also now needlessly hard for people to analyse the paper trail of commits and discussions, since one has to find a fork or a mirror. And since such forks and mirrors inevitably exist, they're not really blocking access to anything.
GitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely. This makes me think the staff have no idea what they're doing.
- Likes 7
Comment
-
Originally posted by cend View Post
There are other methods to inject this even without autotools, so that is not very relevant.
- Likes 2
Comment
-
-
Originally posted by avis View PostThe repo was disabled because it's now a matter national security. NSA/CIA/FBI have full access though because they need to trace every IP and every interaction.
Had this not been discovered and quite serendipitously so, the hackers behind this attack could have compromised RHEL, Ubuntu, SLES and oh boy this is some extremely serious stuff.
- Likes 3
Comment
-
Originally posted by dlq84 View Post
It's already serious, the backdoor has been distributed for a few weeks. It was a regular user that found it.
- Likes 9
Comment
-
Originally posted by avis View PostNot a regular user, Andres Freund, a well-known Microsoft developer of all people, which shows how people here who continue to blame MS for having/pushing/distributing back doors in their products are far removed from reality.
- Likes 17
Comment
Comment