oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 30 Mar 2024 11:32:54 -0400
On Sat, Mar 30, 2024 at 9:38 AM Pierre-Elliott Bécue <peb () debian org> wrote:


Bjoern Franke <bjo () schafweide org> wrote on 30/03/2024 at 14:06:38+0100:


Am 30.03.24 um 04:50 schrieb Loganaden Velvindron:

Github has suspended the repo:
https://github.com/tukaani-project/xz
Im wondering what is the next step for the xz project as a whole ?


https://git.tukaani.org/?p=xz.git;a=summary exists and Lasse said on
IRC he thinks he would make a clean 5.6.2 release.

Regards


I honestly would like to extend my sympathy to Lasse.

This situation must clearly be a hell for him.


Lasse published a statement at <https://tukaani.org/xz-backdoor/>.


Someone asked what would become of xz as a project. I do hope in light
of this event, some people step in to help.


Perhaps Lasse should turn over control of the project to an entity
like the Linux Foundation. Xz is critical to Linux now, and it needs
more oversight than Lasse can provide. (Not to impugn Lasse; he seems
to be very busy. Extra [trusted] helping hands would probably be
welcomed).

Jeff
Previous By Date Next
Previous By Thread Next

Current thread: