30 Mar
2024
30 Mar
'24
5:34 a.m.
L. V. Lammert wrote on 2024-03-29 13:08:
Seems to make the case to only use standard tools like gzip?
I'm not sure. I stick with gzip & bzip myself, but this was an extremely clever approach and I'm not sure if xz got targeted because it's a smaller developer group or if xz is more gullible. I suspect everyone's going to be on the lookout going forward for such things. There's already a lot of examining of previous commits by this character who integrated themself to a number of packages with innocuous prior commits. Interesting story, and only caught by a series of coincidences (someone doing performance testing noticed some timing issues with failed ssh attempts and dug into it further). rb