Re: xz backdoor

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: xz backdoor

From:	Attila Lendvai
Subject:	Re: xz backdoor
Date:	Tue, 02 Apr 2024 08:23:40 +0000

> There's actually suspicious code by the xz attacker in one of our
> packages right now:
> 
> https://issues.guix.gnu.org/issue/70113
> 
> Please help review that patch!


as for gpaste (one of the dependees of libarchive):

it doesn't build since the recent gnome merge. i've filed a patch for the 
necessary version bump:

https://issues.guix.gnu.org/70133

which also gets rid of the libarchive dependency.

it would be nice to get this fast tracked. although, judging from the (lack of) 
complaints, i might be the only user of it.

PS: and meanwhile we're packaging an alternative, namely 
gnome-shell-extension-clipboard-indicator, with an enormous security flaw: by 
default it saves the clipboard history in clear text, and calls the feature 
"cache only favorites", so that even if you look for it, you still don't 
realize it:

https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439

...and its author actively defends this situation.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“The noble-minded are calm and steady. Little people are forever fussing and 
fretting.”
        — Confucius (551–479 BC), 'Analects of Confucius'

[Prev in Thread]

Current Thread

[Next in Thread]

xz backdoor, Reza Housseini, 2024/04/01
- Re: xz backdoor, Kaelyn, 2024/04/01
  - Re: xz backdoor, Attila Lendvai, 2024/04/01
- Re: xz backdoor, jbranso, 2024/04/01
- Re: xz backdoor, Leo Famulari, 2024/04/01
  - Re: xz backdoor, Attila Lendvai <=
    - Re: xz backdoor, adanskana, 2024/04/02
    - Re: xz backdoor, Ryan Prior, 2024/04/02

Prev by Date: Re: Error handling when 'guix substitute' dies
Next by Date: Re: xz backdoor
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread