SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So then this was an oversight - and those in charge of the repo should have perhaps questioned 'why is said feature prohibited' ?
The commit message of that commit did not exactly say "Now I am blocking an important security feature" and the change to the sources that did block it was not easy to spot. With the knowledge of the liblzma backdoor the project main maintainer did look more closely to older commits from the bad user and found "whoops, that commit fixing this also contains a small little dot blocking that".
My Debian machines run Stable, and were not up to the problematic versions. My Manjaro laptops had the patched version the next day. My source platforms pull source using GIT, and the GIT source was never compromised. My deuvan does not run the things that would make the backdoor usable. So far, no problems here.
Last year there was an academic research project (sadly I can't remember who carried it out) to see if it was possible to inject bad code into the Linux kernel. They used precisely this method, offering harmless patches that corrected minor stylistic errors and seemed only pedantic at worst, but one of them created an opening into which something worse could be inserted later.
Of course they immediately informed the kernel team and the world of their success.
At least the guy who did that to the kernel immediately reported it, and didn't keep it a secret - seems to me this actor had more malicious intent.
Quote:
Originally Posted by henca
The commit message of that commit did not exactly say "Now I am blocking an important security feature" and the change to the sources that did block it was not easy to spot. With the knowledge of the liblzma backdoor the project main maintainer did look more closely to older commits from the bad user and found "whoops, that commit fixing this also contains a small little dot blocking that".
regards Henrik
Not directly no - however nobody seem to have caught the fact that commit would not work or compile with said sandboxing feature enabled, so whoever was in charge should have asked why disable it? So by that I guess who ever maintains code going forward when seeing such things should ask "hang on, why does it only compile without said security feature turned on?" And in that case should reject the code in question and demand the code be fixed and that then and there should in my view root out the bad actor - if say the actor had a pattern of such behavior.
Not directly no - however nobody seem to have caught the fact that commit would not work or compile with said sandboxing feature enabled, so whoever was in charge should have asked why disable it?
From what I understand, the person who was committing the bad code was one of the maintainers. I believe they had social engineered their way to that position over a reasonably long time frame. This was not a rogue commit from a random anonymous person, it's a lot more insidious than that.
From what I understand, the person who was committing the bad code was one of the maintainers. I believe they had social engineered their way to that position over a reasonably long time frame. This was not a rogue commit from a random anonymous person, it's a lot more insidious than that.
That's fascinating, but logical really. Questions spring to mind.
We know Governments are hiring coders as hackers like civil servants to do hacking. Now the Jesuits who educated me taught me to think like Machiavelli, as they did. So did the maintainer guy take bribes? Or are there 'bad actor' Government hackers in many OSS projects quietly making commits and working their way up? And how many unknown carefully concealed backdoors are known to some government and ready to use? They will be quickly patched of course, but not necessarily eradicated completely. It sounds like the xz one is being eradicated completely. If I'm right, we may see a few of such bugs before this Election year is out.
It is a relief that Slackware doesn't use Systemd.
From what I understand, the person who was committing the bad code was one of the maintainers. I believe they had social engineered their way to that position over a reasonably long time frame. This was not a rogue commit from a random anonymous person, it's a lot more insidious than that.
Well again I guess hindsight is 20/20; and this is why anyone who is security minded no matter how insignificant should ask questions - I am not a dev; but again I would have still asked "well hang on, WHY do we need to disable a security feature to get this piece of code to work?" The code shouldn't bend over backwards that way, just like a system should bend over backwards for any security reason..
Quote:
Originally Posted by volkerdi
Oh yeah, that's an old one. Written by the author of lzip, lzlib, and plzip, so perhaps they could be biased. ;-)
Moving to .tlz is tempting, though.
Maybe , does it offer as much compression as xz and decompresses in less time ? Or do you give up some compression ? On the one hand we are in the days of vast data storage, so it is not like it was decades ago where even a megabyte makes a difference, but yea at the same time we don't want to be bloated either and waste too much space...
For packages we most of all want small size to allow us to have many packages on limited installation media size and second we want quick decompression for fast installations.
The disadvantage of .tzs as a package suffix is that it would break the current situation of all packages being named *.t?z.
Yes, I'm sure my scripts are not the only ones that take advantage of that particular pattern. .tzz would work while maintaining the status quo.
I can work-around anything you decide to go with, but if you can let us know one way or the other then those of us who write package related tools can get ahead of the game should you decide to switch.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.