Am 04.04.24 um 18:58 schrieb Knurpht-openSUSE:

Op donderdag 4 april 2024 18:50:35 CEST schreef Fritz Hudnut:

I thought that would be "obvious" . . . the problem . . . and the response
to the problem . . . in regards to efficiency, etc.

It only shows that Manjaro did not yet downgrade and is still vulnerable.

It only shows that the Archlinux/Manjaro Maintainers are less than knowledgeable about their packages. Inspite if not building rpm or debian packages they claim to have "fixed" the backdoor while going from 5.6.1-1 to 5.6.2-2 [1]. The disassembly of liblzma didn't even change between those package versions.

And that is irrelevant here.

Pertaining the relevance to this list:

It is a bit amusing as well as a bit unsettling to me that the Internet is abuzz of Archlinux and Manjaro users thinking they were affected and have been saved by their maintainers, while the known backdoor was never present in their packages, and on the other hand users and maintainers of openSUSE Tumbleweed, the only affected system which could arguably be labeled "for production" or "stable", remained rather unimpressed.

- Ben

[1] https://archlinux.org/news/the-xz-package-has-been-backdoored/