💾 Archived View for station.martinrue.com › lykso › f200823fb5f44177becfb562a4c33219 captured on 2024-08-18 at 23:16:28. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-07-09)

➡️ Next capture (2024-08-31)

🚧 View Differences

-=-=-=-=-=-=-

👽 lykso

The news about the xz backdoor has got me feeling exhausted.

4 months ago

Actions

👋 Join Station

8 Replies

👽 lykso

@shway Yeah, this really is another data point confirming the dangers of monoculture and the desirability of heterogeneity. It's less efficient to have all these different redundant systems about, all these differently constructed stacks, but it seems to be the surest defense against total compromise I know of. · 4 months ago

👽 shway

It seems that the backdoor needs systemd, so it's a good thing I'm on BSD.

This sucks for the XZ devs · 4 months ago

👽 aelspire

Well, this is probably the most viral supply chain attack outside of npm, crates.io and pypi. And this show that not only those might be source of problems. I think this is pretty important lesson which will us much more careful as people will remember this one, the same as heartbleed is still mentioned. So outcome can be positive despite of current mess. · 4 months ago

👽 ps

Glad that chosen Debian instead of Arch. Suppose that's only just one issue we know about :p · 4 months ago

👽 half_elf_monk

@lykso - Agree. I guess there's solace in this... they did find out about it at all. Also: yes, that's... probably not a bad thing to consider. My own life would be a lot easier (emotionally?) if my "home base" was in front of a book and not a screen. · 4 months ago

👽 lykso

@half_elf_monk It was caught before it reached any "stable" distributions, but the use of sock puppets to harangue the lead maintainer into giving more access to the malicious committer, the questions regarding whether the committer was coerced into inserting the backdoor or whether they were playing the long game the whole time, and the fact that it was only caught because it happened to be a very "noisy" backdoor really makes me despair somewhat of us ever being able to really trust our computing devices, or even our collaborators in this space. Makes me feel very tired. Like maybe I should just find a way to never use modern technology again. 😛 · 4 months ago

👽 half_elf_monk

Does this matter if you're not running a bleeding-edge distro? Or is the problem upstream of all other updates? · 4 months ago

👽 half_elf_monk

Wishing you well! You can make it! · 4 months ago