Bibliography of this mini-tragedy for systemd and the “provocative” vindication of zstd (which usually is compiled using lib-lzma).
Here is some reading material to print and keep on your bedside:
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094
- https://security.archlinux.org/CVE-2024-3094
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5008221
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://archlinux.org/news/the-xz-package-has-been-backdoored/
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor (this I don’t like, it is very race/ethnic finger pointing oriented with some very very dumb or naive assumptions of “persons” instead of corporate/agency entities).
- https://web.archive.org/web/20240329223553/
- https://github.com/tukaani-project/xz/issues/92
- https://www.reddit.com/r/archlinux/comments/1bqxnsm/was_the_xz_rebuild_better_or_worse/
- https://news.ycombinator.com/item?id=39867126
The list will be enhanced as good material and analysis is found, and please make suggestions for more through comments
Even if I personally disagree or dislike something, like the booehs.org article, I will include it as long as it is related and not redundant, reproducing same information on a another site.
Systemd replacing ELF dependencies with dlopen. https://mastodon.social/@pid_eins/112256363180973672
And suddenly everything becomes clearer, I’ll let you do your analysis..
LikeLike
If you can ellaborate a little on the issue it would be nice.
If you mean it is trying to become self-contained and not depend on other sw. that may be good news, for us not using it.
In general it is trying to become THE system with linux as an accessory to it.
Eventually these systems will become as heavy or heavier than win11
LikeLiked by 1 person
Systemd 256-rc1 new features
“Various library dependencies have been made from regular shared library dependencies into dlopen() ones to enhance security following the XZ backdoor incident.”
What’s next ?
LikeLiked by 1 person
Lennart Poettering reveals run0, alternative to sudo, in systemd v256
https://mastodon.social/@pid_eins/112353324518585654
LikeLike
List: openbsd-misc Subject: Re: lcamtuf on the recent xz debacle
https://marc.info/?l=openbsd-misc&m=171227941117852&w=2
LikeLike