Dave AndersonThe poor original maintainer of xz is on it now, and has already found another "fun" thing: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.
gamer191@danderson I think it's important to give credit where credit is due. Yesterday someone discovered it on Github, prior to the repo being taken down. I saved the malicious commit link, because I found it interesting.
Last night (long after all my Mastodon posts, so don't read much into them) I joined the tukaani IRC server, because I was curious if Lasse was aware yet. While I was there I mentioned the issue with that commit, and Lasse pushed the fix. We 1/2