Switching away from XZ

To: tech-pkg%NetBSD.org@localhost
Subject: Switching away from XZ
From: Jonathan Schleifer <js%NetBSD.org@localhost>
Date: Mon, 1 Apr 2024 21:00:12 +0200

We all know about the XZ backdoor by now. But there is anotherinteresting thing that I think we should discuss:


* There was an attempt to sabotage the Landlock sandbox on Linux.
* Capsicum support was outright removed from autotools-based builds.

It seems that the same entity who put the backdoor in XZ has a very highinterest in making sure that the XZ utility runs without a sandbox.

I know this is all speculation, but to me, this is a very strongindicator that the same entity is sitting on a 0day against XZ that theywould like to use, so they want to get rid of the sandbox before doing so.

Given that they probably also control other projects, just under adifferent fake identity, I think it might be a good idea to change allprojects from XZ to either GZ, BZ2 or ZSTD archives. IMO the logicalnext thing for the attacker to do would be to create a malicious XZ foranother project that then uses RCE in XZ.

Would there be objections in doing a mass replace ofEXTRACT_SUFX=.tar.xz to EXTRACT_SUFX=.tar.gz/.tar.bz2/.tar.zst?


--
Jonathan

Follow-Ups:
- Re: Switching away from XZ
  - From: Thomas Klausner
- Re: Switching away from XZ
  - From: Jonathan A. Kollasch
- Re: Switching away from XZ
  - From: Alistair Crooks

Prev by Date: Re: 2024Q1 freeze planning
Next by Date: Re: Switching away from XZ
Previous by Thread: Big devel/gradle update
Next by Thread: Re: Switching away from XZ
Indexes:

Home | Main Index | Thread Index | Old Index