abadidea on Nostr: I’ve seen numerous people express concern that their xz installation is several ...
I’ve seen numerous people express concern that their xz installation is several versions out of date — because while it may have saved them in this specific case, doesn’t that mean they must not be running updates correctly in general?
No! It’s normal for your personal copy of an open source program to be several versions out of date. When you get an update to a commercial software package, it’s already been through months of internal testing by professionals. In volunteer-based open source, the bulk of this testing is done by simply releasing the update on their site and letting advanced users try it out. At some point, if there’s no problems, it will get shuffled forward to stable update channels. Therefore it’s normal for most Linux software to be one to two years out of date compared to the absolute newest version you could possibly get.
The good news is that this backdoor was found before most distros accepted the update as stable, and therefore it was not yet installed on the majority of production servers — it’ll be mainly on testing servers. The bad news is that the malicious actor was clever enough to make sock puppet user accounts to complain about xz crashing and claim that the new update is a critical fix that needs to be rushed out the door as soon as possible. This was a close call, we were very lucky.
No! It’s normal for your personal copy of an open source program to be several versions out of date. When you get an update to a commercial software package, it’s already been through months of internal testing by professionals. In volunteer-based open source, the bulk of this testing is done by simply releasing the update on their site and letting advanced users try it out. At some point, if there’s no problems, it will get shuffled forward to stable update channels. Therefore it’s normal for most Linux software to be one to two years out of date compared to the absolute newest version you could possibly get.
The good news is that this backdoor was found before most distros accepted the update as stable, and therefore it was not yet installed on the majority of production servers — it’ll be mainly on testing servers. The bad news is that the malicious actor was clever enough to make sock puppet user accounts to complain about xz crashing and claim that the new update is a critical fix that needs to be rushed out the door as soon as possible. This was a close call, we were very lucky.