This is going to be an interesting story once this all quiets down...
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.
Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
Me: fixes exposure to vuln
Also me: grabs popcorn
This is going to be an interesting story once this all quiets down...
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.
Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.
gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
It’s also at https://git.tukaani.org.
It says F39 users are not affected. Are you running Rawhide/F40 Beta? p
Running Arch, so not really exposed, but still had a compromised version installed.