Jump to content

Has anyone heard about the XZ issue?


Recommended Posts

The story is scary but thankfully it was not found in stable releases of Debian.

Here the concerned versions:

It’s known that XZ Utils versions 5.6.0 and 5.6.1 were included in the March builds of the following Linux distributions:

  • Kali Linux, but, according to the official blog, only those that were available between March 26 and March 29 (the blog also contains instructions for checking for vulnerable versions of utilities);
  • openSUSE Tumbleweed and openSUSE MicroOS, available from March 7 to March 28;
  • Fedora 41, Fedora Rawhide, and Fedora Linux 40 beta;
  • Debian (testing, unstable and experimental distributions only);
  • Arch Linux – container images available from February 29 to March 29. However, the website archlinux.org states that, due to its implementation peculiarities, this attack vector won’t work in Arch Linux, but they still strongly recommend updating the system.

 

  • Like 2
Link to comment
Share on other sites

2 minutes ago, ShadowOfHassen said:

What's more scary is how there was a weaponized effort to take over an essential part of the Linux stack by burning out a sole developer and then adding the malicious code. It was pure luck that someone found the problem.

Yes. But it was pretty obvious it would happen, everything is becoming extremely complex in the digital world. Thousands of libraries developed by a very small number of persons, used by very important systems, which necessitate constant update... it is obviously a weak point.

Furthermore, the hacker played the long game this time, earning the trust of the other developers/contributors.

Link to comment
Share on other sites

1 minute ago, Genava55 said:

Yes. But it was pretty obvious it would happen, everything is becoming extremely complex in the digital world. Thousands of libraries developed by a very small number of persons, used by very important systems, which necessitate constant update... it is obviously a weak point.

I agree, I honestly think that this is OSS Achilles heel, is the bad actor who take value and instead of giving value back demand better support, that can allow even worse actors to take control.

There needs to be a way, to allow the developers to get payed for their efforts with still having the coolness of OSS, or else I'm afraid the entire free software experience might break.

(I'm not worried about 0 A.D., until Microsoft Amazon and Google use it for an essential part of their infrastructure and don't contribute.)

  • Like 1
Link to comment
Share on other sites

31 minutes ago, hyperion said:

The technical issue is fairly well summed up by Sam James from Gentoo at https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

A rather good video by Theo discussing the human component of the exploit:

 

I have to agree with his take. I have seen first people who ban everyone who disagree with them and complain about "toxic" environments are the ones who create them, so I'm hesitant to automatically ban someone who says something mean. However, I do think OSS needs to get cleaned up a bit.

 

Not here however, I think 0 A.D. is for the most part fine even though sometimes we argue.

Link to comment
Share on other sites

dependency.png.2c649876ea6e8a8c130a972aba6e9539.png

Theo mentions, in the video that you linked, how relevant this comic by xkcd is about dependency projects that are being thanklessly maintained for decades. This comic is exactly what I thought of when I first heard the news about the XZ intrusion.

Open source developers are getting bored or tired and then projects either stagnate or are handed over to different maintainers. This can be a cause of either minor flaws or serious security-relevant flaws. I think that an important reason that open source developers get burnt out is because most open source developers can't make a living doing it. It's irrational to do work over the long term that others exploit if the developer gets almost no reward. After a while the cognitive dissonance, or one's financial or health situation, catches up to that issue.

According to this dotJS lecture, project leaders of important projects end up with quite unfun, unpaid obligations when the projects grow into mature dogs instead of "cute puppies".

Meanwhile, starving open source projects with good design, especially when they're important to the infrastructure of open source software, are potential targets for similar social engineering attacks to what happened to XZ.

What's the solution? I think that free software developers need to contribute more to the thankless foundational projects. And, the commercial software sector needs to fund the foundational projects.

But, I predict that the status quo will continue. The average for-profit corporation is, according to the documentary The Corporation, a psychopath and/or freeloader due to the prevailing goal of profit above all else, due to the legal text in their corporate charters.

Link to comment
Share on other sites

1 hour ago, Norse_Harold said:

dependency.png.2c649876ea6e8a8c130a972aba6e9539.png

Theo mentions, in the video that you linked, how relevant this comic by xkcd is about dependency projects that are being thanklessly maintained for decades. This comic is exactly what I thought of when I first heard the news about the XZ intrusion.

Because of the complexity of modern software, I believe it's utterly important to keep third-party dependencies to a minimum when developing software. One of the worst offenders there is probably the JavaScript eco-system, where you quickly pull in dependencies by the hundreds if not thousands.

1 hour ago, Norse_Harold said:

The average for-profit corporation is, according to the documentary The Corporation, a psychopath and/or freeloader due to the prevailing goal of profit above all else, due to the legal text in their corporate charters.

It's kind of interesting. I'd argue that the vast majority of people are ethical and as corporations consist of people they therefore should be ethical as well. However, once a corporation reaches a certain size, its employees start making unethical decisions (or at least decisions which aren't in the interest of their customers).

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...