Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAH8yC8nw_5rvGtemqZ3ojSaOCoLZnb+5q8m4NxTf5QTJ=5hoQg@mail.gmail.com>
Date: Sat, 30 Mar 2024 11:32:54 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

On Sat, Mar 30, 2024 at 9:38 AM Pierre-Elliott Bécue <peb@...ian.org> wrote:
>
> Bjoern Franke <bjo@...afweide.org> wrote on 30/03/2024 at 14:06:38+0100:
>
> > Am 30.03.24 um 04:50 schrieb Loganaden Velvindron:
> >> Github has suspended the repo:
> >> https://github.com/tukaani-project/xz
> >> Im wondering what is the next step for the xz project as a whole ?
> >
> > https://git.tukaani.org/?p=xz.git;a=summary exists and Lasse said on
> > IRC he thinks he would make a clean 5.6.2 release.
> >
> > Regards
>
> I honestly would like to extend my sympathy to Lasse.
>
> This situation must clearly be a hell for him.

Lasse published a statement at <https://tukaani.org/xz-backdoor/>.

> Someone asked what would become of xz as a project. I do hope in light
> of this event, some people step in to help.

Perhaps Lasse should turn over control of the project to an entity
like the Linux Foundation. Xz is critical to Linux now, and it needs
more oversight than Lasse can provide. (Not to impugn Lasse; he seems
to be very busy. Extra [trusted] helping hands would probably be
welcomed).

Jeff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.