Re: lcamtuf on the recent xz debacle

Hello Peter and all,

I have seen the following comment, or similar, in several articles now:

"On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems." https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ 

There are a couple of problems with this statement, but I just want to focus in on the "almost all installations of Linux and other Unix-like operating systems" part.  From my understanding, it is certainly almost all installations of Linux​, but the "and other Unix-like operating systems" doesn't seem founded.  From what I understand, this backdoor would not affect any flavour of *BSD, or of illumos for that matter (ex. smartOS), or QNX, or Solaris.  Just for clarity, does anyone know what "Unix-like operating systems" would be affected by this?

Thank you,

Katie

---

From: owner-misc@openbsd.org <owner-misc@openbsd.org> on behalf of Aaron Mason <simplersolution@gmail.com>
Sent: 03 April 2024 19:17
To: misc@openbsd.org <misc@openbsd.org>
Subject: Re: lcamtuf on the recent xz debacle

 

Attention : courriel externe | external email

On Sat, Mar 30, 2024 at 9:32 PM Peter N. M. Hansteen <peter@bsdly.net> wrote:
>
> "This dependency existed not because of a deliberate design decision
> by the developers of OpenSSH, but because of a kludge added by some
> Linux distributions to integrate the tool with the operating
> system's newfangled orchestration service, systemd."
>

As if I needed another reason to intensely dislike systemd...

--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse