[Discuss] Debian 12 in the Cloud
Kent Borg
kentborg at borg.org
Fri May 31 11:50:02 EDT 2024
On 5/31/24 06:37, markw at mohawksoft.com wrote:
> The xz thing is totally different. That was a masterful bit of espionage.
> It was two years in the making, and if we don't think this is elsewhere as
> well, unrelated to systemd, then I'm sure we are kidding ourselves.
The xz thing was, indeed, masterfully done! I hate to say it, by I have
admiration for them. They slipped the bad code into .m4 files, that were
part of test code, or something like that. How many people know M4? And
it's just test code, and the project needs the help, this contributor
has done good work…
Very impressive stuff. I am very sympathetic to the plight of the xz
people. See https://imgs.xkcd.com/comics/dependency.png
But how in the hell could a compromise of xz put a backdoor into sshd‽‽
Because systemd patches sshd…because systemd.
The ssh people are very careful, ssh is very important, so I am glad
they are careful. But when someone *else* starts patching sshd, because
are building some big, complicated, sloppy OS within an OS, I want
nothing to do with it. And I have no sympathy for their role in this.
-kb
P.S. I love the idea of wondering how much good open source work is done
by major intelligence agencies as part of schemes like this. How much
really good ssh work is being done today by such organizations hoping to
slip something nasty in in the future?
More information about the Discuss
mailing list