(I've never used a mailing list, and i'm a very "low end user" and my english sucks, So, i apologize for any mistakes made here )
The youtuber Brodie Robertson made this statement :
"the malicious code end up on the distros because they build from the release tarballs instead of the git repo" - https://odysee.com/@BrodieRobertson:5/the-xz-linux-backdoor-is-incredibly:0
I guess they are reasons to do so, but i thought hes point had to be share here.
Le dimanche 31 mars 2024 à 2:28 PM, Carlos E. R.
On 2024-03-29 23:39, Michal Suchánek wrote:
Hello,
On Fri, Mar 29, 2024 at 06:20:27PM +0100, Ana Guerrero Lopez via openSUSE Factory wrote:
Hopefully we'll have soon more detailed information about this CVE.
Somewhat useful information seems to be:
https://www.openwall.com/lists/oss-security/2024/03/29/4 https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Technologist vs spy: the xz backdoor debate lcamtuf’s thing
-- Cheers / Saludos,
Carlos E. R. (from 15.5 x86_64 at Telcontar)