Hacker News new | ask | show | jobs
by jonathanspw 812 days ago
Yesterday sure was fun wasn't it :p Thanks for all your help/working with me on getting this cleaned up in Fedora.
2 comments
speleding 811 days ago
PSA: I just noticed homebrew installed the compromised version on my Mac as a dependency of some other package. You may want to check this to see what version you get:

   xz --version
Homebrew has already taken action, a `brew upgrade` will downgrade back to the last known good version.
link
jonahx 811 days ago
I also had a homebrew installed affected version.

I understand it's unlikely, but is there anything I can do to check if the backdoor was used? Also any other steps I should take after "brew upgrade"?

link
tomputer 811 days ago
Quoting[1] from Homebrew on Github:

>> Looks like that Homebrew users (both macOS and Linux, both Intel and ARM) are unlikely affected?

> Correct. Though we do not appear to be affected, this revert was done out of an abundance of caution.

[1] https://github.com/Homebrew/homebrew-core/pull/167512

link
mthoms 811 days ago
Thanks for this. I just ran brew upgrade and the result was as you described:

  xz 5.6.1 -> 5.4.6
link
pmarreck 810 days ago
sorry, what exact version(s) is the one(s) affected again?

(or SHAs, etc.)

(EDIT: 5.6.0 and 5.6.1 ?)

(EDIT 2: Ooof, looks like the nix unstable channel uses xz 5.6.1 at this time)

I use Nix to manage this stuff on Mac, not Homebrew...

link
redxtech 810 days ago
GitHub disabled the xz repo, making it a bit more difficult for nix to revert to an older version. They've made a fix, but it will take several more days for the build systems to finish rebuilding the ~220,000 packages that depend on the bootstrap utils.
link
kreetx 809 days ago
Here is the discussion https://github.com/NixOS/nixpkgs/issues/300055
link
account42 807 days ago
Lol they shouldn't be relying on GitHub in the first place.
link
rrrix1 806 days ago
What should they be relying on instead? Maybe rsync everything to an FTP server? Or Torrents? From your other comments, you seem to think no one should ever use GitHub for anything.
link
cozzyd 811 days ago
Is it actually compromised on homebrew though? I guess we can't be sure but it seemed to be checking if it was being packaged as .deb or .rpm?
link
erhaetherth 811 days ago
Is 5.2.2 safe? Just 5.6.0 and 5.6.1 are bad?
link
w4ffl35 811 days ago
Is it normal that when I try to uninstall xz it is trying to install lzma?
link
inetknght 811 days ago
It means that `xz` was depended upon by something that depends on eg "xz OR lzma"
link