xvlc@feddit.detoArch Linux@lemmy.ml•The xz package has been backdoored, you need to update your system nowEnglish
29·
8 months agoSimply excluding this backdoor does not seem to be sufficient. The malicious actor has contributed over 750 commits to xz, all of which could contain further backdoors.
Downgrading to the last version without any contributions from the malicious actor is not possible either, because of new functionalities and other security issues that were fixed in the meantime. Uninstalling xz is also not possible, because half my system depends on it.
I guess it will take some time to sort all of that out. I am very impressed by the fast and coordinated response to this incident by the FOSS community.
More instances of sabotage are being found.