On Sat, Dec 27, 2025 at 11:59:27PM +0000, William Richards #SaveOurInternet wrote: > Hello Debian (and RedHat), > I am wondering if anyone ended up compressing (or considered compressing) > their software with XZ Utils before the latest Debian build at the time of > the backdoor's discovery was released. Are they allowed to do that? Has any > developer considered it at one point? > Also: [...] That thing has been described extensively. I don't understand why you are posing this questions. Have you read, e.g. https://en.wikipedia.org/wiki/Xz_backdoor#Mechanism Do you have any reasons to believe that this exploit has targeted anything else than the patched-for-systemd sshd server variants? Remember: for stealthiness, the exploit was injected during the "make test" phase, thus avoiding being seen directly in the source code. It checked whether it was "in" the mentioned SSH patch. (As a side note, this "indirect deploy during the build process" has gained some tradition in the wild, as can be seen in [1]. This is interesting, because Ken Thompson demonstrated this pattern already 1984 [2]. Sometimes, industry moves slowly) Cheers [1] https://lwn.net/Articles/773121/ [2] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf -- t
Attachment:
signature.asc
Description: PGP signature