On 30-03-2024 22:10, Christopher Klooz wrote:
On 30/03/2024 20.08, Sandro wrote:
On 30-03-2024 13:26, Christopher Klooz wrote:
I don't know how the assumption came up that F40 is only affected if
users opted in for testing, but that interpretation already ended up
in the Fedora Magazine and in the official linkedin post of Fedora (I
already asked to correct it).
I believe that statement is correct, since none of the xz-5.6.x
packages ever made it to F40 stable. The furthest they've got was
updates-testing, which is not enabled in the official Beta releases.
However, if you installed F40 before Beta was released, then
updates-testing is enabled and users may have installed the vulnerable
package with a simple `sudo dnf upgrade`.
I admit the wording could be clearer in that opting in to
updates-testing might have been done on your behalf simply by
installing F40 sometime between branching and the Beta release. Some
users might not be aware of that.
It may also help providing some simple instructions on how users can
check if they have any of the vulnerable versions installed in the
article itself. I see a comment to that extent.
So, the situation around F40 is somewhat murky since a lot of factors
come into play, but the statement that 5.6.x never made to F40 stable
is correct[1] and therefore users not having updates-testing enabled
could not have installed 5.6.x without expressly enabling it.
[1] https://bodhi.fedoraproject.org/updates/?search=xz-5.6
I don't think this is right. Adam Williamson and Michael Catanzaro
already confirmed that F40 has testing enabled by default because it is
pre-release. It was also confirmed that some packages could have been
installed on F40 variants (see also the points of Michael and Richard
here in the devel mailing list). Michael and Adam also wrote some
references in the Fedora Discussion topic [1] about this.
From what I understood, F40 Beta, the official Beta release, available
from the website as of March 26, has updates-testing disabled by
default. That was confirmed by several people in #devel yesterday when
the Fedora Magazine article was still being worked on.
It's the RC composes that are made after branching and before Beta is
declared GO, that have updates-testing enabled by default. I was one of
the persons raising that point. I'm less certain wrt upgrades in the
period between branching and Beta release.
If that is incorrect and Beta shipped with updates-testing enabled,
deliberately or by accident, then I stand corrected.
It is obviously still an issue that is evolving and what seems clear now
might prove different later. But so far I tend to leave the discussion
topic as it is and ensure that F40 users expect being compromised and
get informed to act correspondingly with the suggested actions. However,
I already added a point how users can check if they have a malicious build.
I agree. Once the levees broke, news was traveling fast and, for some,
panic may have set in, not helping in determining what information is
accurate.
Advise to err on the side of caution, check your system and upgrade if
unsure, is certainly what I would tell anyone. Even distros (Arch,
Gentoo) where it turned out the payload wasn't injected, acted out of an
abundance of caution, put out advisories and updates for their users.
What's written on Discussion looks to be covering the broad spectrum.
Maybe the Fedora Magazine article could link to that post for further
clarification.
[1]
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683/36
-- Sandro
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
