Announcement

Collapse
No announcement yet.

GitHub Disables The XZ Repository Following Today's Malicious Disclosure

Collapse
X
Collapse
 
  • Page of 15
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 7 14 15 template Next
  • #31
    Originally posted by vtorri View Post
    according to https://www.redhat.com/en/blog/urgen...-rawhide-users the problem is a M4 macro, used by autotools. So why not just remove the autotools build system ? Cmake build system is already usable for xz.
    There are other methods to inject this even without autotools, so that is not very relevant.
    • Likes 4

    Comment

    • #32
      Disabling the repository was dumb as f*ck. The Arch PKGBUILD, for example, points to it as its upstream. So now if Arch wants to build a good package from an old commit, they can't, because upstream has disappeared.

      It's also now needlessly hard for people to analyse the paper trail of commits and discussions, since one has to find a fork or a mirror. And since such forks and mirrors inevitably exist, they're not really blocking access to anything.

      GitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely. This makes me think the staff have no idea what they're doing.
      • Likes 25

      Comment

      • #33
        Originally posted by ⲣⲂaggins View Post
        GitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely.
        But they don't know if anything else is compromised until a full audit is done. What if the older state they would provide is also compromised? While probably not ideal to disable entire repo, it's still understandable. It's not like they are idiots for doing this. The exploit and compromised dimensions are not fully understood yet. Who knows if someone else is involved too!
        • Likes 13

        Comment

        • #34
          Originally posted by ⲣⲂaggins View Post
          Disabling the repository was dumb as f*ck. The Arch PKGBUILD, for example, points to it as its upstream. So now if Arch wants to build a good package from an old commit, they can't, because upstream has disappeared.

          It's also now needlessly hard for people to analyse the paper trail of commits and discussions, since one has to find a fork or a mirror. And since such forks and mirrors inevitably exist, they're not really blocking access to anything.

          GitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely. This makes me think the staff have no idea what they're doing.
          They are minimizing the fallout and limiting ways to interfere with the evidence. This is a high-profile nation-level issue know.
          • Likes 7

          Comment

          • #35
            Originally posted by cend View Post

            There are other methods to inject this even without autotools, so that is not very relevant.
            for xz, for now, it's only a M4 macro. do you have other information to share about this backdoor when building with cmake ? Because i'm used to compile xz myself with cmake only.

            • Likes 2

            Comment

            • #36
              Bugs like this reminds me wisdom of this xkcd
              Dependency
              https://xkcd.com/2347/
              • Likes 2

              Comment

              • #37
                Originally posted by avis View Post
                The repo was disabled because it's now a matter national security. NSA/CIA/FBI have full access though because they need to trace every IP and every interaction.

                Had this not been discovered and quite serendipitously so, the hackers behind this attack could have compromised RHEL, Ubuntu, SLES and oh boy this is some extremely serious stuff.
                It's already serious, the backdoor has been distributed for a few weeks. It was a regular user that found it.
                • Likes 3

                Comment

                • #38
                  Originally posted by dlq84 View Post

                  It's already serious, the backdoor has been distributed for a few weeks. It was a regular user that found it.
                  Not a regular user, Andres Freund, a well-known Microsoft developer of all people, which shows how people here who continue to blame MS for having/pushing/distributing back doors in their products are far removed from reality.

                  [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise [LWN.net]
                  https://lwn.net/ml/oss-security/[email protected]/
                  • Likes 9

                  Comment

                  • #39
                    Originally posted by avis View Post
                    Not a regular user, Andres Freund, a well-known Microsoft developer of all people, which shows how people here who continue to blame MS for having/pushing/distributing back doors in their products are far removed from reality.
                    This has nothing to do with what Microsoft does on closed source Windows. And it does not matter at all for this topic.
                    • Likes 17

                    Comment

                    • #40
                      xz is a good format and i am not going to move away from it just because the NSA asset RedHat tells me to. The company that runs XKeyscore and PRISM isn't the most trustworthy.
                      • Likes 2

                      Comment

                      Previous 1 2 3 4 5 6 7 14 15 template Next
                      Working...
                      X