Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is that version truly vetted? "Jia Tan" has been the official maintainer since 5.4.3, could have pushed code under any other pseudonym, and controls the signing keys. I would have felt better about reverting farther back, xz hasn't had any breaking changes for a long time.


It looks like this is being discussed, with a complication of additional symbols that were introduced https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024


Thanks for this! I found this URL in the thread very interesting!

https://www.nongnu.org/lzip/xz_inadequate.html


It is an excellent technical write-up and yet again another testimonial to the importance of keeping things simple.


The other comments here showing that the backdoor was a long-term effort now make me wonder just how long of an effort it was...


It's not only that account, other maintainer has been pushing the same promotion all over the place.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: