Conversation

Notices

1. Embed this notice
   Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Saturday, 30-Mar-2024 22:59:26 JST Jan Wildeboer 😷:krulorange:

   Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn , adapt, repeat.

   • Embed this notice
     Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Sunday, 31-Mar-2024 05:48:40 JST Jan Wildeboer 😷:krulorange:

     in reply to

     Now the mess is being cleaned up. AFAICS this exploit was NOT used in the wild by bad actors. So it wasn't even a 0day. The damage is limited, contained and being taken care of. In a coordinated way, across communities, companies and more organisations. Because we were prepared for the aftermath. We have learned form Heartbleed and other events. Our FOSS immune system works. And will learn from this incident. Peace.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Sunday, 31-Mar-2024 05:48:41 JST Jan Wildeboer 😷:krulorange:

     in reply to

     Just FTR. The backdoor code was inserted only under very specific circumstances in the build process. Once the problem was identified and after initial analysis made it clear how it worked, immediate action was taken in a coordinated fashion. Affected builds/packages were removed, update systems for affected distributions started delivering forced downgrades. Users of these systems were informed. This all happened in public, in transparent and open ways. All in the first 24 hours. I tip my hat.

     clacke repeated this.
   • Embed this notice
     Leonardo Ferreira Fontenelle (lffontenelle@mastodon.social)'s status on Tuesday, 14-May-2024 00:00:21 JST Leonardo Ferreira Fontenelle

     in reply to

     @jwildeboer reminds me of when some version of Windows had three backdoors: one accidental, another created by Microsoft for the CIA, and another one created by an infiltrated CIA agent

     clacke likes this.
   • Embed this notice
     Natasha Nox 🇺🇦🇵🇸 (natanox@chaos.social)'s status on Tuesday, 14-May-2024 00:00:31 JST Natasha Nox 🇺🇦🇵🇸

     in reply to

     @jwildeboer Absolutely. From identifying the problem to having the fix on my computer, drawn from the official (Arch) repo, it took just about 3 hours. That's insanely fast.

     clacke likes this.
   • Embed this notice
     hypolite (hypolite@friendica.mrpetovan.com)'s status on Tuesday, 14-May-2024 04:45:43 JST hypolite

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     @Natanox @jwildeboer Interestingly, the biggest obstacle to this process is GitHub unilaterally closing access to the relevant repository, preventing people to inspect the offending code and breaking links that people had already published during their research.
     clacke likes this.