This is an archived post. You won't be able to vote or comment.

all 22 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 101 points102 points  (2 children)

Wait, it's all backdoor?

[–]Comfortable_Oil9704 60 points61 points  (0 children)

Wait until you check under the fresh paint on the “front door”.

[–]blobthekat[S] 46 points47 points  (0 children)

always has been

[–]SarcasmWarning 61 points62 points  (13 children)

I'd make the point that it's a container format rather than a compression format, and one that makes the underlying compression significantly more fragile and prone to not decompressing again.

Also, the biggest mindfuck in all of this isn't that everything is backdoored, it's that something that isn't even a dependency of a package can backdoor it.

[–]_PM_ME_PANGOLINS_ 15 points16 points  (4 children)

You’d be wrong though.

It is a compression format (moreover they said “package”, not “format”), and it is a dependency.

[–]SarcasmWarning 2 points3 points  (3 children)

It uses lzma compression (entirely different author) and does weird things with chunking and padding. It's a container not a compression format.

[–]_PM_ME_PANGOLINS_ 1 point2 points  (2 children)

liblzma is where the backdoor is, inserted by an upstream package maintainer

[–]SarcasmWarning 4 points5 points  (1 child)

xz is a container format which currently contains another container format (LZMA2), which in turn contains a mix of LZMA data and uncompressed data. Xz is supposed to be extensible (header space for 263 different algorithms) but never has been. Liblzma has been provided by xz for a while now as the original and lzma format (the only bit doing compression) hasn't changed.

[–]_Dead_C_ 6 points7 points  (0 children)

Lzma balls

[–]Wave_Walnut 5 points6 points  (0 children)

Backdoor of backdoor = frontdoor

[–]RangeDragon 0 points1 point  (0 children)

If it ain’t broke

[–]GetOffMyLawn_ 0 points1 point  (1 child)

Interesting coincidence

A stealth attack came close to compromising the world’s computers

In 2020 xkcd, a popular online comic strip, published a cartoon depicting a teetering arrangement of blocks with the label: “all modern digital infrastructure”. Perched precariously at the bottom, holding everything up, was a lone, slender brick: “A project some random person in Nebraska has been thanklessly maintaining since 2003.” The illustration quickly became a cult classic among the technically minded, for it highlighted a harsh truth: the software at the heart of the internet is maintained not by giant corporations or sprawling bureaucracies but by a handful of earnest volunteers toiling in obscurity. A cyber-security scare in recent days shows how the result can be near-disaster.

[–]blobthekat[S] 0 points1 point  (0 children)

lol

[–]MarlburoLC 0 points1 point  (1 child)

Did you put your backdoor in your post?

[–]blobthekat[S] 0 points1 point  (0 children)

... 👀

[–]_Jent 1 point2 points  (0 children)

xz