Arch Linux

7605 readers

2 users here now

The beloved lightweight distro

founded 4 years ago

MODERATORS

k_o_t@lemmy.ml

369

The xz package has been backdoored, you need to update your system now (archlinux.org)

submitted 5 months ago by Fubarberry@sopuli.xyz to c/archlinux@lemmy.ml

44 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Fubarberry@sopuli.xyz 17 points 5 months ago (1 children)

This is just speculation, but I think this was a long planned attack. I think it's unlikely any previous backdoors or significant security vulnerabilities would have been introduced, the goal was to establish themselves as a legitimate contributor and then sneak one critical backdoor in unnoticed. Sneaking in multiple vulnerabilities would have increased the risk of detection.

From what I understand they did cause a conflict with another package, and then used that to try to justify having the backdoored versions of the package fast tracked into upcoming Debian and fedora releases. But that would also suggest that their whole goal was shipping this one backdoor.

[–] xvlc@feddit.de 9 points 5 months ago* (last edited 5 months ago) (1 children)

More instances of sabotage are being found.

[–] Fubarberry@sopuli.xyz 2 points 5 months ago

Well that's unfortunate