On Fri, Mar 29, 2024 at 07:44:12PM +0100, Mikel Olasagasti wrote: > Hi, > > I'm seeing weird things. > > For whatever reason Source for xz was changed 2 months ago[1] to use > GH releases instead of tukaani.org site. > > The XZ page[2] has a note stating: > > "Note: GitHub automatically includes two archives Source code (zip) > and Source code (tar.gz) in the releases. These archives cannot be > disabled and should be ignored." > > And they wayback WayBackMachine[3] doesn't have previous versions. > > Do we know if GH release tarballs are safe? > @richard, do you remember why you had to change the source for the tarball? Sadly the release tarballs we used *do* contain the vulnerability. I checked myself that the payload is present in the final xz RPMs. Rich. > Regards, > Mikel > > [1] https://src.fedoraproject.org/rpms/xz/c/0c09a6280b4a0c4fd7a9fc742c09469c95ff431f?branch=f40 > [2] https://xz.tukaani.org/ > [3] https://web.archive.org/web/20240119212251/https://xz.tukaani.org/ > > Hau idatzi du Kevin Kofler via devel (devel@xxxxxxxxxxxxxxxxxxxxxxx) > erabiltzaileak (2024 mar. 29(a), or. (19:01)): > > > > Hi, > > > > wow: https://www.openwall.com/lists/oss-security/2024/ > > > > I think at this point we clearly cannot trust xz upstream anymore and should > > probably fork the project. > > > > Kevin Kofler > > -- > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
