Jakub Jirutka on Nostr: If #xz were a Go or Rust dependency, you wouldn’t have a single copy of xz library ...
If #xz were a Go or Rust dependency, you wouldn’t have a single copy of xz library on your system, but many, #xzbackdoor hidden in every executable that uses it. Distros would have to rebuild all packages using that lib (not just the lib itself), which could take days or weeks, and users would have to update them all, downloading tens or hundreds of megabytes.
If you install binaries directly from vendors/devs, it’s even worse – you wouldn’t even know which ones are affected and you’d (1/3)
Published at
2024-04-01 17:29:21Event JSON
{
"id": "7c5db953bee54e388b6a9178695f73daafc31b47cdeae28534b08e07d5038d58",
"pubkey": "28f7f3501688ab15ae88e7dbd915f1c1e55f0906bf3e07b273588665951140f5",
"created_at": 1711992561,
"kind": 1,
"tags": [
[
"t",
"xzbackdoor"
],
[
"t",
"xz"
],
[
"proxy",
"https://social.jirutka.cz/users/jakub/statuses/112197144480636368",
"activitypub"
]
],
"content": "If #xz were a Go or Rust dependency, you wouldn’t have a single copy of xz library on your system, but many, #xzbackdoor hidden in every executable that uses it. Distros would have to rebuild all packages using that lib (not just the lib itself), which could take days or weeks, and users would have to update them all, downloading tens or hundreds of megabytes.\n\nIf you install binaries directly from vendors/devs, it’s even worse – you wouldn’t even know which ones are affected and you’d (1/3)",
"sig": "dc17a093ff7da9d2a132cee1d91023bb89b55f4366df17506f0f435c45108907f31c5839a2fe3e75bd4bf3cb05e983abd2d1ca4e82aa37c916cd052b8c9a0ce9"
}