Anyway the entire ops/dev world just dodged (we think/hope we dodged, anyway but are not 100% sure) the biggest supply chain attack in history that would have screwed absolutely, literally, everyone.
This needs a giant f**king industry-wide post-mortem once we're sure we're not all doomed.
"Isn't that a bit alarmist?" No!
xz is a base-system package in literally every distro I know of. It's everywhere.
Compromised releases have been out for five weeks and we didn't notice. We only noticed because someone caught openssh taking 10x as long to do DH exchanges and auth. If the attacker had been sneakier we wouldn't have noticed at all.
The compromised xz was in Fedora's testing versions and they didn't notice. You had the compromised version in Arch for a month (and arguably still do, but a combination of build method and source acquisition method likely renders it safe).
If some random guy didn't go "Why is openssh so slow?" and dig really deep into that, it would have hit stable/live distros and then what? We don't know.
@trysdyn Even the fact that arch wasn't targeted doesn't mean shit--this was aimed at distributions targeting servers all the way up to the enterprise level. This would've cracked open the internet with a hammer.
@elfi Yep. The moment it hit RHEL, it would be pulled into Rocky and similar CentOS clones, and it'd end up everywhere and all hell would break loose.
