[b112]

My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:

$ host xz.tukaani.org

host xz.tukaani.org is an alias for tukaani-project.github.io.

And originally it was not:

$ host tukaani.org

tukaani.org has address 5.44.245.25 (seemingly in Finland)

It was moved there in Jan of this year, as per the commit listed in my prior post. By this same person/account. This means that instead of Lasse Collin's more restrictive webpage, an account directly under the control of the untrusted account, is now able to edit the webpage without anyone else's involvement.

For example, to make subtle changes in where to report security issues to, and so on.

So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?

[pja]

This account changed the instructions for reporting security issues in the xz github as their very last commit:

    commit af071ef7702debef4f1d324616a0137a5001c14c (HEAD -> master, origin/master, origin/HEAD)
    Author: Jia Tan <jiat0218@gmail.com>
    Date:   Tue Mar 26 01:50:02 2024 +0800

        Docs: Simplify SECURITY.md.

    diff --git a/.github/SECURITY.md b/.github/SECURITY.md
    index e9b3458a..9ddfe8e9 100644
    --- a/.github/SECURITY.md
    +++ b/.github/SECURITY.md
    @@ -16,13 +16,7 @@ the chance that the exploit will be used before a patch is released.
     You may submit a report by emailing us at
     [xz@tukaani.org](mailto:xz@tukaani.org), or through
     [Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
    -While both options are available, we prefer email. In any case, please
    -provide a clear description of the vulnerability including:
    -
    -- Affected versions of XZ Utils
    -- Estimated severity (low, moderate, high, critical)
    -- Steps to recreate the vulnerability
    -- All relevant files (core dumps, build logs, input files, etc.)
    +While both options are available, we prefer email.

     This project is maintained by a team of volunteers on a reasonable-effort
     basis. As such, please give us 90 days to work on a fix before

Seems innocuous, but maybe they were planning further changes.

[bombcar]

> Seems innocuous, but maybe they were planning further changes.

Seems like an attempt to get 90 days of "use" of this vulnerability after discovery. If they only had checked performance before!

[hackernudes]

No, they just removed the bullet points about what to include in a report. The 90 days part was in both versions.

[meragrin_]

Yes. An incomplete report allows for dragging out "fixing" the issue longer.

[bombcar]

True, but the "talk only to me" part was new, I think.

[hughesjj]

They didn't add any content, it was a pure removal commit

[mxmlnkn]

The website change reminds me a bit of lbzip2.org https://github.com/kjn/lbzip2/issues/26#issuecomment-1582645... Although, at the moment, it only seems to be spam. The last commit was 6 years ago, so I guess that's better than a maintainer change...

[buildbot]

> tukaani.org has address 5.44.245.25 (seemingly in Finland)

Hetzner?

[yencabulator]

For what it's worth, tukaani is how you spell toucan (the bird) in Finnish, and Lasse is a common Finnish name; the site being previously hosted in Finland is very plausible.

[Stagnant]

Yeah according to their website[0] it looks like majority of the past contributors were Finnish so nothing odd about the hosting provider. On the same page it says that Jia Tan became co-maintainer of xz in 2022.

0: https://tukaani.org/about.html

[TimWolla]

No:

    route:          5.44.240.0/21
    descr:          Zoner Oy
    origin:         AS201692
    mnt-by:         MNT-ZONER
    created:        2014-09-03T08:09:00Z
    last-modified:  2014-09-03T08:09:00Z
    source:         RIPE

[whizzter]

It's Finnish, Oy is short for "Osake Yhtiö" (share-association, basically a LLC), seems to be registered/hosted at https://www.zoner.fi/

[jaakl]

So probably Suojelupoliisi, Finnish Security and Intelligence Service is behind all this

[ancientMariner]

Zoner is a Finnish web hosting company, which has a history of providing hosting for Finnish open source projects, and the original maintainer (and most of the original crew) is Finnish as well. Nothing weird here.

[buildbot]

Interesting, seems to be a tiny finnish hosting company: https://www.zoner.fi/english/