Mastodawn

Kevin Beaumont Mar 31, 2024

I don’t agree with all the doom saying about XZ incident.

You just know orgs are going to return after Easter and panic about it unnecessarily (they’re likely still on Redhat 6). It doesn’t impact them as it was caught super early.

Regarding the narrative that there’s nothing that can be done about these type of attacks - I also don’t agree. There’s already a change in the pipeline to systemd which would have prevented it.

The thing needs rational, calm reaction and response.

Show thread

Drew Scott Daniels

@GossiTheDog I worry about all the questions inbound about whether we use that version of xz from customers. Of course we don’t. We’ve had similar questions about other high profile things more than anything else.

I’ve heard that selinux might have brought in the same dependency as systemd.