Oooooooof
> Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository.
Conversation
Notices
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 08:09:19 JST 
Matt Hamilton
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 08:09:17 JST
Matt Hamilton
Guy has Go project that wraps xz to provide native Go bindings. Project has had no commits for THREE YEARS.
Suddenly some guy sends a PR to update the version of xz in use to the backdoored version: https://github.com/jamespfennell/xz/pulls/2
Then you got some guy in the HN comments astroturfing everyone claiming that he knows the guy who submitted the PR IRL and he's a "cool dude", or something.
All this shit is so sus.
CAN THE FUCKING FEDS PLEASE STOP BACKDOORING OPEN SOURCE SOFTWARE PLEASE? K THANKS
Pleroma-tan likes this. -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 08:09:18 JST
Matt Hamilton
Fear not, xz users, a new developer has stepped up to take over the project:
Tia Jan <jant1203@proton.me>
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 08:09:18 JST
Matt Hamilton
The backlash thread on GitHub is already well underway: https://github.com/tukaani-project/xz/issues/92
Sexy Moon and Pleroma-tan repeated this. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Saturday, 30-Mar-2024 08:17:19 JST 
Pleroma-tan
@eriner dead link -
Embed this notice
✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Saturday, 30-Mar-2024 09:34:50 JST 
✙ dcc :pedomustdie: :phear_slackware:
@eriner @John (it also requires sys d to work) -
Embed this notice
John C Dvorak (john@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:51 JST 
John C Dvorak
@eriner explain what this means
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:51 JST
Matt Hamilton
@John The post you're commenting on is a bit in the weeds. At a high level, the xz compression library was intentionally subverted by one of the project maintainers and a backdoor was inserted. This impacted SSH on Debian and Fedora, two very popular linux distros.
The best high-level writeup I can find is Michael Larabel's: https://www.phoronix.com/news/XZ-CVE-2024-3094
Fediverse Contractor likes this. -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:52 JST
Matt Hamilton
oh yeah, and the guy who submitted the PR supposedly works at 1Password.
So that's nice.
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:52 JST
Matt Hamilton
Both of the maintainer accounts for the xz (under the https://github.com/tukaani-project) have been suspended, presumably by Github staff:
The suspension isn't listed on the account profile, but visible in the Following/Followers list for some reason, ex: https://github.com/JiaT75?tab=following
Pleroma-tan repeated this. -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 11:29:01 JST
Matt Hamilton
The xz project on GitHub is now disabled. Hopefully everyone who wanted the repo and full commit history already grabbed it.
Pleroma-tan likes this. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Saturday, 30-Mar-2024 11:29:42 JST
Pleroma-tan
@eriner BOOOOOM -
Embed this notice
Sexy Moon (moon@shitposter.club)'s status on Saturday, 30-Mar-2024 11:58:14 JST 
Sexy Moon
@eriner @ned they probably just have so much bureaucratic and technical inertia that it's easier to repurpose the TOS violation blockout to prevent people from downloading the code than make an intelligent exception that prevents downloading of historic git revisions while allowing others, and discussion. -
Embed this notice
Sir Nedwood (ned@noauthority.social)'s status on Saturday, 30-Mar-2024 11:58:15 JST 
Sir Nedwood
@eriner public information available about a spook operation? We can't possibly have that. Time to lock it down.
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 11:58:15 JST
Matt Hamilton
@ned it is quite odd, considering that the maintainers accounts were already suspended, as I posted evidence of a few hours ago.
I don't understand the intent behind blocking access to the entire repository, essentially memory-holing all of the non-code content (issue text, pull request discussions, etc.)
Very, very strange behavior by GitHub/Microsoft.
Fediverse Contractor likes this. -
Embed this notice
Sexy Moon (moon@shitposter.club)'s status on Saturday, 30-Mar-2024 12:16:07 JST
Sexy Moon
@eriner @ned in a well architected system without tech debt probably but who knows how big of a mess they're dealing with internally. I'm just guessing though. I've worked on systems where it's horrifying to contemplate a fine-grained manual intervention to solve a problem because you just don't know what you might break, but there's a button that deletes the whole account. -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 12:16:09 JST
Matt Hamilton
@Moon @ned I don't buy this because you could just 500 the releases at the reverse proxy / WAF level. It's not like that kind of change would require touching the behemoth Ruby codebase that runs Github.
Fediverse Contractor likes this. -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 12:27:00 JST
Matt Hamilton
@echoteecat @IceCubeSoup it makes you wonder if they're hiding it because it might unravel some threads that tie back to a "fellow cooperative department".
As far as I know, this is unprecedented by GitHub.
Sexy Moon likes this. -
Embed this notice
Zeke (echoteecat@noauthority.social)'s status on Saturday, 30-Mar-2024 12:27:04 JST 
Zeke
@IceCubeSoup @eriner Sure, but why not let 4chan and internet archive also get a copy of the "crime scene".
Why does the FBI get first dibs on planting evidence... I mean investigating?
-
Embed this notice
IceCubeSoup (icecubesoup@noauthority.social)'s status on Saturday, 30-Mar-2024 12:27:05 JST 
IceCubeSoup
@eriner @echoteecat I might have locked it down completely too, until it can be adequately examined to figure out what the hell happened, and how far back the shenanigans go, and who was doing what, etc.
There may be some questions of legal liability which the executives want to be addressed.
It's not like they completely destroyed it, it's still there.
I agree that it will be quite questionable if it doesn't reappear within a week or so, though.
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 12:27:06 JST
Matt Hamilton
Unless GitHub reverts this change, it is now impossible for researchers to view the discussion from issues and pull requests in the xz repository.
I cannot think of a legitimate reason for GitHub to censor this content: the two members of the organization had already had their accounts suspended by GitHub; it's not as if they could forcibly push over the content in the repo.
I'm not sure what to make of this move by GitHub/Microsoft, but it sure isn't a good look.
Sexy Moon likes this.
-
Embed this notice
All GNU social JP content and data are available under the