Re: xz backdoor
- To: debian-devel@lists.debian.org
- Subject: Re: xz backdoor
- From: Emanuele Rocca <ema@debian.org>
- Date: Tue, 2 Apr 2024 15:11:29 +0200
- Message-id: <[🔎] ZgwEAbFzMguyNa2K@edgar>
- In-reply-to: <36567ed4-7246-4466-9122-2934d6e9f18f@debian.org>
- References: <ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <87a5mgkcn4.fsf@hope.eyrie.org> <875xx4k9bv.fsf@hope.eyrie.org> <36567ed4-7246-4466-9122-2934d6e9f18f@debian.org>
Hi,
On 2024-03-30 10:49, Jonathan Carter wrote:
> Another big question for me is whether I should really still
> package/upload/etc from an unstable machine.
I have been using unstable myself on most of my systems for the past
several years. There are many advantages, including being able to
actually test Debian as many have said in this thread. Case in point,
the xz backdoor has been discovered by a Debian unstable user: it would
have likely been found much later had they used stable instead.
Without trying to be overly dramatic though, I consider the xz incident
as some sort of 9/11 of Linux distros. Everyone knew it could have
happened, but now that it has and we see how relatively easy it was I
think it's time to re-evaluate things. I now do not think anymore that
sid is secure enough for high-profile targets such as DDs. All it takes
is one bad upload, and your systems are immediately compromised. Sure
bad stuff can eventually make it to stable as well, but the longer it
takes the more likely for the malicious change to be spotted.
Other than the time aspect, there's the problem of binary uploads too.
How long would it take to spot a well crafted, malicious binary upload
to sid?
Reply to: