oss-security - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <87ttknzost.fsf@hope.eyrie.org>
Date: Sat, 30 Mar 2024 09:07:14 -0700
From: Russ Allbery <eagle@...ie.org>
To: Pierre-Elliott Bécue <peb@...ian.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: backdoor in upstream xz/liblzma leading to
 ssh server compromise

Pierre-Elliott Bécue <peb@...ian.org> writes:

> I honestly would like to extend my sympathy to Lasse.

> This situation must clearly be a hell for him.

> Someone asked what would become of xz as a project. I do hope in light
> of this event, some people step in to help.

Also if there's anything the community can do for Lasse personally, please
pass that along.  Anyone can be the victim of social engineering.  The
critical moments always look obvious in retrospect, but it's impossible
for humans to be sufficiently paranoid to catch the signs 100% of the time
and still function in society.

I suspect many of us here have had nightmares about being in Lasse's
position, and probably will have more of them in the future.

-- 
Russ Allbery (eagle@...ie.org)             <https://www.eyrie.org/~eagle/>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.