My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.

But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?

    • sploosh@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      8 months ago

      Because Arch was one of the distros that distributed the backdoored xz package, though they claim no vulnerability to due to their implementation.

      • vrighter
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        so… they didn’t distribute the backdoored package did they?

        • sploosh@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          9
          ·
          8 months ago

          Bruh ask Google the question instead of making a stranger figure it out for you. If you want an answer typed up for you go ask a LLM.

          • vrighter
            link
            fedilink
            arrow-up
            5
            arrow-down
            1
            ·
            edit-2
            8 months ago

            I already knew the answer. arch was not affected. hence why i asmed why it kept being mentioned.

            I wasn’t asking if arch was affected. I was asking why you keep regurgitating this clearly wrong information (if you bothered to google it, of course)

            So no, google could not have answered my question. And if you do use llms for answers, I feel sorry for you

            • Pika@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              8 months ago

              I’m not sure I agree with that, Arch 100% should continue to be mentioned. Just because the Trojan didn’t launch due to the fact that Arch’s environment didn’t meet its criteria, doesn’t mean you should keep a known malicious package on your system.

              People keep preaching to the heavens that Arch was not affected by it, but they don’t always state that Arch was infected by it, it just never binds the library to SSHD like Debian systems do (for systemd notifications) so the attack vector is never made.

              The arch Wiki official statement on it is that you should remove the malicious package and do a full system update. Which should be common sense, but people have to be aware that the system is infected by it in order to know that they have to remove it. A process that if Arch was never mentioned as being involved users wouldn’t think to do