XZ backdoor in a nutshelllemmy.zipimagecross-posted to: linux@lemmy.eco.br Possibly linux ( @possiblylinux127@lemmy.zip ) Linux@lemmy.mlEnglish • 8 months ago message-square59fedilinkarrow-up1707
arrow-up1707imageXZ backdoor in a nutshelllemmy.zip Possibly linux ( @possiblylinux127@lemmy.zip ) Linux@lemmy.mlEnglish • 8 months ago message-square59fedilinkcross-posted to: linux@lemmy.eco.br
minus-square noddy ( @noddy@beehaw.org ) linkfedilink29•8 months agoThe scary thing about this is thinking about potential undetected backdoors similar to this existing in the wild. Hopefully the lessons learned from the xz backdoor will help us to prevent similar backdoors in the future.
minus-square Possibly linux ( @possiblylinux127@lemmy.zip ) OPlinkfedilinkEnglish19•8 months agoI think we need focus on zero trust when it comes to upstream software
minus-square jackpot ( @jackpot@lemmy.ml ) linkfedilink2•8 months agoexactly, stop depending on esoteric libraries
minus-square Possibly linux ( @possiblylinux127@lemmy.zip ) OPlinkfedilinkEnglish1•8 months agoIt is fine to use them just know how they work and check the commit log. That of course requires you to pull from got instead of a tarball
minus-square billgamesh ( @billgamesh@lemmy.ml ) linkfedilink1•8 months agothis was well hidden. not sure anyone would have spotted this by checking commit log
minus-square Possibly linux ( @possiblylinux127@lemmy.zip ) OPlinkfedilinkEnglish1•8 months agoIt was hidden in the Tarball
minus-square billgamesh ( @billgamesh@lemmy.ml ) linkfedilink1•edit-28 months agoi’m not an expert, but my reading was that it was hidden in a binary used for testing EDIT: oh yeah, i see what you mean
The scary thing about this is thinking about potential undetected backdoors similar to this existing in the wild. Hopefully the lessons learned from the xz backdoor will help us to prevent similar backdoors in the future.
I think we need focus on zero trust when it comes to upstream software
exactly, stop depending on esoteric libraries
It is fine to use them just know how they work and check the commit log.
That of course requires you to pull from got instead of a tarball
this was well hidden. not sure anyone would have spotted this by checking commit log
It was hidden in the Tarball
i’m not an expert, but my reading was that it was hidden in a binary used for testing EDIT: oh yeah, i see what you mean