馃懡 lykso

The news about the xz backdoor has got me feeling exhausted.

6 months ago


馃憢 Join Station

8 Replies

馃懡 lykso

@shway Yeah, this really is another data point confirming the dangers of monoculture and the desirability of heterogeneity. It's less efficient to have all these different redundant systems about, all these differently constructed stacks, but it seems to be the surest defense against total compromise I know of. 路 6 months ago

馃懡 shway

It seems that the backdoor needs systemd, so it's a good thing I'm on BSD.

This sucks for the XZ devs 路 6 months ago

馃懡 aelspire

Well, this is probably the most viral supply chain attack outside of npm, crates.io and pypi. And this show that not only those might be source of problems. I think this is pretty important lesson which will us much more careful as people will remember this one, the same as heartbleed is still mentioned. So outcome can be positive despite of current mess. 路 6 months ago

馃懡 ps

Glad that chosen Debian instead of Arch. Suppose that's only just one issue we know about :p 路 6 months ago

馃懡 half_elf_monk

@lykso - Agree. I guess there's solace in this... they did find out about it at all. Also: yes, that's... probably not a bad thing to consider. My own life would be a lot easier (emotionally?) if my "home base" was in front of a book and not a screen. 路 6 months ago

馃懡 lykso

@half_elf_monk It was caught before it reached any "stable" distributions, but the use of sock puppets to harangue the lead maintainer into giving more access to the malicious committer, the questions regarding whether the committer was coerced into inserting the backdoor or whether they were playing the long game the whole time, and the fact that it was only caught because it happened to be a very "noisy" backdoor really makes me despair somewhat of us ever being able to really trust our computing devices, or even our collaborators in this space. Makes me feel very tired. Like maybe I should just find a way to never use modern technology again. 馃槢 路 6 months ago

馃懡 half_elf_monk

Does this matter if you're not running a bleeding-edge distro? Or is the problem upstream of all other updates? 路 6 months ago

馃懡 half_elf_monk

Wishing you well! You can make it! 路 6 months ago