Bibliography of this mini-tragedy for systemd and the “provocative” vindication of zstd (which usually is compiled using lib-lzma).
Here is some reading material to print and keep on your bedside:
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094
- https://security.archlinux.org/CVE-2024-3094
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5008221
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://archlinux.org/news/the-xz-package-has-been-backdoored/
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor (this I don’t like, it is very race/ethnic finger pointing oriented with some very very dumb or naive assumptions of “persons” instead of corporate/agency entities).
- https://web.archive.org/web/20240329223553/
- https://github.com/tukaani-project/xz/issues/92
- https://www.reddit.com/r/archlinux/comments/1bqxnsm/was_the_xz_rebuild_better_or_worse/
- https://news.ycombinator.com/item?id=39867126
The list will be enhanced as good material and analysis is found, and please make suggestions for more through comments