My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.
But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?
why does everyone keep mentioning arch?
Because Arch was one of the distros that distributed the backdoored xz package, though they claim no vulnerability to due to their implementation.
so… they didn’t distribute the backdoored package did they?
Bruh ask Google the question instead of making a stranger figure it out for you. If you want an answer typed up for you go ask a LLM.
I already knew the answer. arch was not affected. hence why i asmed why it kept being mentioned.
I wasn’t asking if arch was affected. I was asking why you keep regurgitating this clearly wrong information (if you bothered to google it, of course)
So no, google could not have answered my question. And if you do use llms for answers, I feel sorry for you
I’m not sure I agree with that, Arch 100% should continue to be mentioned. Just because the Trojan didn’t launch due to the fact that Arch’s environment didn’t meet its criteria, doesn’t mean you should keep a known malicious package on your system.
People keep preaching to the heavens that Arch was not affected by it, but they don’t always state that Arch was infected by it, it just never binds the library to SSHD like Debian systems do (for systemd notifications) so the attack vector is never made.
The arch Wiki official statement on it is that you should remove the malicious package and do a full system update. Which should be common sense, but people have to be aware that the system is infected by it in order to know that they have to remove it. A process that if Arch was never mentioned as being involved users wouldn’t think to do