Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
XZ Utils review notes (tukaani.org)
96 points by todsacerdoti on April 15, 2024 | hide | past | favorite | 7 comments


I feel terrible for Lasse Collin. He was dealing with his own set of personal issues and is then targeted by this attack. He became overnight the focal point of the Internet, his project and himself scrutinized and analyzed in detail. Ruthless.

Thank you Collin for all the work you and maintainers like you put in over the years. And thank you for taking the time to do this analysis.


Things have calmed down a bit now, but in the immediate aftermath the actions and suspicions of some people were frankly unhinged. Everyone and everything was now suspicious, whether it made sense or not. I've seen people send emails to employers over innocent xz/lzma adjacent stuff that was almost certainly innocent. The fuck is wrong with some people?


It's kinda hilarious to think that a (group of) bad actor(s) spent years pretending to act in good faith, adding useful patches, in order to try to implant their backdoor only to get busted weeks/months before unleashing hell... And now their useful patches, made in bad faith but still useful, can be reused.

Hope it pisses them off.


> I never reviewed anything under the .github directory and those are skipped here as well.

Shouldn't workflows be under review as well, considering the backdoor's presence and exploit flow in the build process?


I wouldn’t think they need to be if the releases are manually prepared and signed


[flagged]


Hard to get angry at it given the title. As they say, "does what it says on the tin." Never claimed to be succinct or insightful. It looks more like a rolling scratchpad of notes the author is taking while he's reviewing XZ commits.


You're talking to a bot of some sort. See their comment history.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: