Conan_Kudo

@Conan_Kudo@fosstodon.org

Software Engineer. Linux systems aficionado and developer in Fedora, CentOS, Mageia, and openSUSE. Ex Red Hat, Inc. Ex Datto, Inc. Views are my own.

Sponsor me if you like my work! https://github.com/sponsors/Conan-Kudo

Business inquiries: https://velocitylimitless.com

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

Conan_Kudo , 3 months ago to random

All this talk about #xzorcist over the weekend, I want to also point out that it's important to remember that the "software supply chain" largely does not exist in regards to open source, because most people have no real relationship other than parasitic consumption with the project.

@Di4na's great blog post on this topic explains it quite well: https://www.softwaremaxims.com/blog/not-a-supplier

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...

+ Npars01

Conan_Kudo , 3 months ago to random

Lasse Collin (the main #xz maintainer) has now started working on a review of #xzorcist (credit to @jwf for the clever name!).

https://tukaani.org/xz-backdoor/

It's important to note how critical it was caught now: all the commercial distributions are making releases over the next 12-18 months: Red Hat with RHEL 10 in May 2025, SUSE with SLE 16 in fall 2025, and Canonical with Ubuntu 24.04 in April. It was key to infect their upstreams (Fedora, openSUSE, Debian) now.

Fortunately, it failed.

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...

+ Npars01