|
|
|
|
|
|
by misswaterfairy
116 days ago
|
|
|
The irony being that 'Jia Tan' went out of their way to ensure the backdoor was very well obfuscated, to the point it inadvertently caused bugs and slight, but noticeable, performance issues. One wonders whether the xz backdoor would have been discovered if slightly less obfuscation was used. The whole xz incident is a pretty strong argument to: a) change practice from including binary (opaque) test files themselves to human-readable scripts and tooling that build test files on-demand, b) raise suspicion of any binaries included in open source projects, and c) create much more scrutiny around dependencies of 'highly scrutinised' packages like OpenSSH. It's a shame that there isn't a foundation (that I'm aware of) that can donate time and effort of vetted developers to foundational open source projects like xz. |
|
|
But xz is not a dependency of upstream OpenSSH you see. It was a dependency of a patch created by Linux distros for systemd integration.