Francesco Giordano 
I wrote a post on the xz backdoor. No backdoor analysis, just considerations on what went wrong.
Dr. Dek 👨🚀🐧🚀 )A few things:
- so far arch and derivates seems to not be affected. Only deb and rpm packages.
- source is still available, from the website
- we only found about the backdoor because it's open source. Corporate software is much more opaque.
- a useful timeline https://infosec.exchange/@fr0gger/112189232773640259
Thomas Roccia :verified: (@[email protected])
Attached: 1 image 🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)! I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz
@portaloffreedom There are actual contraints to the exploit, so the real number of target is unclear unless the analysis is complete. Still, having a package built by a malicious attacker doesn't look too good, even Arch suggested to patch: https://archlinux.org/news/the-xz-package-has-been-backdoored/
> source is still available, from the website
Yes it is (https://git.tukaani.org/?p=xz.git;a=summary) , but the operations are mostly performed in GitHub (the original attacker had access only to it, so inspecting the repo could give additional info on the attacker OpSec but is now gone for good)
> we only found about the backdoor because it's open source. Corporate software is much more opaque.
Indeed this is good, I am not against open source at all, this backdoor was a big issue on the supply chain management