The news about the xz backdoor has got me feeling exhausted.

2 years ago

Actions

7 Replies

@shway Yeah, this really is another data point confirming the dangers of monoculture and the desirability of heterogeneity. It's less efficient to have all these different redundant systems about, all these differently constructed stacks, but it seems to be the surest defense against total compromise I know of. · 2 years ago

It seems that the backdoor needs systemd, so it's a good thing I'm on BSD.

This sucks for the XZ devs · 2 years ago

Glad that chosen Debian instead of Arch. Suppose that's only just one issue we know about :p · 2 years ago

@lykso - Agree. I guess there's solace in this... they did find out about it at all. Also: yes, that's... probably not a bad thing to consider. My own life would be a lot easier (emotionally?) if my "home base" was in front of a book and not a screen. · 2 years ago

@half_elf_monk It was caught before it reached any "stable" distributions, but the use of sock puppets to harangue the lead maintainer into giving more access to the malicious committer, the questions regarding whether the committer was coerced into inserting the backdoor or whether they were playing the long game the whole time, and the fact that it was only caught because it happened to be a very "noisy" backdoor really makes me despair somewhat of us ever being able to really trust our computing devices, or even our collaborators in this space. Makes me feel very tired. Like maybe I should just find a way to never use modern technology again. 😛 · 2 years ago

Does this matter if you're not running a bleeding-edge distro? Or is the problem upstream of all other updates? · 2 years ago

Wishing you well! You can make it! · 2 years ago