oss-sec mailing list archives
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Jan Engelhardt <jengelh () inai de>
Date: Sun, 31 Mar 2024 01:23:28 +0100 (CET)
On Saturday 2024-03-30 21:43, Mats Wichmann wrote:
On 3/30/24 09:32, Jeffrey Walton wrote:Someone asked what would become of xz as a project. I do hope in light of this event, some people step in to help.Perhaps Lasse should turn over control of the project to an entityIn light of this scenario (at least what I understand about it), it's got to be even harder now for an overloaded maintainer to accept help of a significant nature.
I think it may not make much of a difference. In the instance of xz, the usurper convinced maintainers with contributions over the course of some 2 years to gain reasonable control of the project, and in essence, users. If instead, we picture that a maintainer withholds control (either due to lack of will, or lack of time), an usurper would have to start a fork and convince *users* directly to trust and favor the replacement, an undertaking which might have reasonably taken about 2-3 years as well (judging from the timeframes it took libjpeg-turbo or systemd to get a footing in distros). Other software might have completely different "usurp time" characteristics. That all depends on both how integrated a software is in the larger ecosystem and how many users there already are that would care (for either an improvement or when it breaks).
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)