Sven Slootweg

xz 

It occurs to me that a lot of distros probably have a lot of already-built packages that involved one of the suspicious xz versions in their build process, and I don't know that they all have the tooling to track which packages need to be rebuilt...

1+
eater

xz 

@joepie91 that's only for stuff that's it statically linked with tho, since all of it is just in the .so?

1+
Sven Slootweg

xz 

@eater xz is a part of *the build process itself* in many cases - extracting source archives, that sort of thing. So it could have affected the source of other applications at any point in that process, in a way that's impossible to trace back.

So anything that has come into contact with xz at any point in its build or distribution process, while this new maintainer was involved, is now suspect. That's... a double-digit percentage of packages on a typical system, I suspect.

1
Sven Slootweg
Follow

xz 

@eater (This is basically a 'trusting trust' type of situation, except one we have plausible evidence for)

· · Web · 0 · 0 · 2
Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.

Resources

Developers

What is Mastodon?

pixie.town

  • About
  • v3.5.19patch-2024-07-04

More…

v3.5.19patch-2024-07-04 · Privacy policy