On Fri, Mar 29, 2024 at 07:25:56PM -0500, Chris Adams wrote: > Once upon a time, Richard W.M. Jones <rjones@xxxxxxxxxx> said: > > (1) We built 5.6.0 for Fedora 40 & 41. Jia Tan was very insistent in > > emails that we should update. > > So this wasn't just a "hey, new upstream version", this was PUSHED on > distributions by the culprit. I have to say that this is not unusual. I myself have even sent messages to other maintainers encouraging them to package or update projects that I've written. A keen upstream maintainer wanting to help or encourage downstream packagers is normally welcome. This is the one case and only case that someone turned out to be malicious (that we know about). They abused our trust. > Are they a contributor to any other software in the distribution? I > think anything they might have touched has to be considered suspect. Yes I agree that anything else touched by this "person" should be considered very suspect. > Either (a) their systems have been completely compromised or (b) they > did this intentionally. Neither is good. The back door is intentional for sure. We don't know the details of if this is an account take-over or a "long con" and what the background to all this is, but I'm sure people are looking into that. > > (2) We got reports later of a valgrind test failure. I also saw it > > myself in my own projects that use liblzma. We notified Jia Tan of > > this. > > Why does libsystemd pull in libzma (as well as liblz4 and libzstd, > because we need three compression libraries in one place)? That seems > to be a broad amount of extra code, for a library that's in a number of > network-listening services is just linked for socket activation. This is a very real issue. Got another email coming up in a bit about this. > Also, while it appears there's more than one developer with Github > commit access (one other made commits since the initial "bad" commit), > it would seem they aren't doing reviews, so not sure how much xz/liblzma > can be trusted to be linked into a whole lot of key programs. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
