Re: Switching away from XZ

To: Jörg Sonnenberger <joerg%bec.de@localhost>, tech-pkg%netbsd.org@localhost
Subject: Re: Switching away from XZ
From: Jonathan Schleifer <js%NetBSD.org@localhost>
Date: Fri, 5 Apr 2024 11:09:23 +0200

Am 04.04.24 um 02:04 schrieb Jörg Sonnenberger:

One thing we need to discuss for sure is the blame game currently
being played by quite a few parties. "You merged a Jia Tan commit,
you must be a plant as well!" Personally, I find the danger of that kind of
attitude turning away a lot of volunteers a lot more harmful.

I'm not seeing the article author or any of us here playing the blamegame, though?

I never said we should discuss who to blame, but what else the attackerhas probably lined up, given the level of sophistication we saw, andwhat we could do to reduce the attack surface.

Disabling sandboxes is a pretty good sign the attacker has somethingelse they want to use. Combine that with the attacker having added anentirely new decoder, and I'd say there's a high risk.


--
Jonathan

References:
- Switching away from XZ
  - From: Jonathan Schleifer
- Re: Switching away from XZ
  - From: Jonathan Schleifer
- Re: Switching away from XZ
  - From: Jonathan Schleifer
- Re: Switching away from XZ
  - From: Jörg Sonnenberger

Prev by Date: Re: Big devel/gradle update
Next by Date: Re: Switching away from XZ
Previous by Thread: Re: Switching away from XZ
Next by Thread: Re: Switching away from XZ
Indexes:

Home | Main Index | Thread Index | Old Index