This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/opensource-wg@ripe.net/
[opensource-wg] xz incident shows the need for structural change (in FLOSS maintenance & funding)
- Previous message (by thread): [opensource-wg] xz incident shows the need for structural change (in FLOSS maintenance & funding)
- Next message (by thread): [opensource-wg] Invitation to RIPE NCC Open House Events – Community Projects Fund Recipients 2023
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joost van Baal-Ilić
joostvb-opensource-wg at mdcc.cx
Thu Apr 11 19:12:48 CEST 2024
Hi, On Thu, Apr 11, 2024 at 03:26:35PM +0200, Vesna Manojlovic wrote: > FYI: by Sovereign Tech Fund > https://www.sovereigntechfund.de/news/xz-structural-change Thanks! And for a concise and technical background document, see https://tukaani.org/xz-backdoor/ ( quoted below ). Bye, Joost ----------------------------------------------------------------------------- XZ Utils backdoor Lasse Collin This page will get updated as I learn more about the incident. 2024-04-09: The Git repositories of XZ projects are available on GitHub again. The email address xz at tukaani dot org forwards to me only. This change was made on 2024-03-30. xz.tukaani.org DNS name (CNAME) has been removed and won’t be restored. The XZ projects have moved to their old URLs on tukaani.org. XZ Utils’s home page is under construction still though. To media and reporters I won’t reply for now because first I need to understand the situation thoroughly enough. It’s enough to reload this page once per 48 hours to check if this message has changed. Email I have gotten a lot of email. Thanks for the positive comments. Unfortunately I don’t have time to reply to most of them. Facts • CVE-2024-3094 • XZ Utils 5.6.0 and 5.6.1 release tarballs contain a backdoor. These tarballs were created and signed by Jia Tan. • Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me. • GitHub accounts of both me (Larhzu) and Jia Tan were suspended. Mine was reinstated on 2024-04-02. • Only I have had access to the main tukaani.org website, git.tukaani.org repositories, and related files. Jia Tan only had access to things hosted on GitHub, including xz.tukaani.org subdomain (and only that subdomain). Plans I plan to write an article how the backdoor got into the releases and what can be learned from this. I’m still studying the details. xz.git needs to be gotten to a state where I’m happy to say I fully approve its contents. It is debated whether to rebase the master branch to purge the malicious files so that they wont’t trip antivirus software or such. Currently the opinion is somewhat tilted towards not rebasing. Review of the repository is being made. This has higher priority right now than the pending article. These will unfortunately but obviously take several days. A clean stable XZ Utils release version is likely to jump to 5.8.0. It should clearly separate the clean one from the bad 5.6.x. Links • Details by Andres Freund [ https://www.openwall.com/lists/oss-security/2024/03/29/4 ] • FAQ by Sam James • Gentoo bug 928134 [ bugs.gentoo.org/928134 ] • Debian bug 1068024 [ bugs.debian.org/1068024 ] Last updated 2024-04-09 22:26:37 +0300 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
- Previous message (by thread): [opensource-wg] xz incident shows the need for structural change (in FLOSS maintenance & funding)
- Next message (by thread): [opensource-wg] Invitation to RIPE NCC Open House Events – Community Projects Fund Recipients 2023
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]