277 points

Commit 77a294d

Update maintainer and author info. The other maintainer suddenly disappeared.

Lmao, that’s putting it lightly.

permalink
report
reply
172 points

the other maintainer now has a special place:

Special author: Jia Tan was a co-maintainer in 2022-2024. He and the team behind him inserted a backdoor (CVE-2024-3094) into XZ Utils 5.6.0 and 5.6.1 releases. He suddenly disappeared when this was discovered.

permalink
report
parent
reply
49 points
*

RIP Jia Tan

permalink
report
parent
reply
-25 points

I don’t think they would be in much peace. It was years of their work that was ruined by a person with OCD and valgrind.

permalink
report
parent
reply
76 points
*
41 points
*

Hmm yes.

The floor is made out of floor

permalink
report
parent
reply
3 points

I like how the first point made is that the backdoor violates the Debian Free Software Guidelines, as if that’s the main problem

permalink
report
parent
reply
128 points

I wonder if he has a donation page. We need to get him some money.

permalink
report
reply
252 points
*

I agree we should support him, but you know who should be more concerned with giving him and other open source maintainers money? The billion dollar corporations that rely on these critical projects and use them absolutely for free. Amazon, Microsoft, Sony, Samsung, Google, Siemens, Motorola, God knows how many more.

permalink
report
parent
reply
83 points

But when open source projects go dual license to try and get paid people lose their minds.

permalink
report
parent
reply
21 points

This!!!

This!!

People, stop celebrating “freeing” software of maintainers that want to prevent being exploited.

permalink
report
parent
reply
7 points

Seriously. If you’re not a business why do you care?

permalink
report
parent
reply
-9 points

How many of these dual license solutions have donated to xz maintenance?

permalink
report
parent
reply
-10 points

Because that’s a bad not even a solution.

permalink
report
parent
reply
37 points

He probably needs a comaintainer. We could select one of us and then try pressuring him into accepting that.

permalink
report
parent
reply
30 points

Stop right there, Jio Tan! The same trick doesn’t work twice.

permalink
report
parent
reply
16 points

We need more non profits who can set aside funds for these projects. It not like these companies don’t want to help its just jot entirely clear how they can help.

permalink
report
parent
reply

They can help by donating some of their billions.

permalink
report
parent
reply
-2 points

I bet Samsung would not even know if open source is a thing

permalink
report
parent
reply
3 points

Samsung is the primary developer for Tizen, a Linux based OS similar to Android. Their watches, cameras, and TVs run it.

https://www.tizen.org/

permalink
report
parent
reply
2 points
*

I gotta hand it to Samsung that they outline all the open source licences they use, at least in their Galaxy smartphone products:

permalink
report
parent
reply
13 points

I wrote to ask him but I never heard back. To be fair he’s probably quite stressed at the moment.

permalink
report
parent
reply
32 points

Can someone provide a summary on what this means? I thought there were malicious exploits in this. Why is it back up and the perpetrator unbanned?

permalink
report
reply
157 points

Lasse Collin is not the perpetrator, that would be “Jia Tan”.

https://tukaani.org/xz-backdoor/

permalink
report
parent
reply
97 points

Lasse is the original maintainer of XZ, they have been placed back in their position as sole maintainer.

“Jia Tan” was the person who slipped the backdoor into XZ and is now banned.

Lasse has already fixed abd removed the backdoor.

XZ itself is critical software everyone uses (its one of the main compression/decompression programs used on linux)

permalink
report
parent
reply
5 points
*

Yes but damage seems to be done. Distros are talking or have moved off of it to zstd.

permalink
report
parent
reply
22 points

There are some, probably. But any exodus will be slow. Xz isn’t useless because it was dangerous once.

permalink
report
parent
reply
10 points

Zstd and xz fullfil different needs. Xz take more time to compress and is faster to decompress as far as I know.

permalink
report
parent
reply
10 points

I would argue this might make xz safer mid-term. So much eyes on it. I’m not familiar with other solutions, but who’s to say the bad actor won’t try a similar trick elsewhere

permalink
report
parent
reply
58 points

Exploits were removed. Maintainer who committed them still banned. xz is a critical piece of software.

permalink
report
parent
reply
41 points

There’s a Wikipedia article regarding this incident. Have a look: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

permalink
report
parent
reply
37 points

This sounds just like something Jia Tan might say…

permalink
report
parent
reply
36 points

Don’t downvote people asking questions.

permalink
report
parent
reply
2 points
*
Deleted by creator
permalink
report
parent
reply
0 points

It’s just a question. Any implications or tone you perceive here is likely your own projection.

Try and read it assuming the poster is asking in good faith.

permalink
report
parent
reply
36 points

The second maintainer was most likely the culprit.

permalink
report
parent
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 7.7K

    Monthly active users

  • 6.5K

    Posts

  • 179K

    Comments