Dan GoodinI'm doing my best to make my coverage of the xz backdoor accessible to laypeople while also providing the technical details engineers need. I'm also updating as new info becomes available. I hope it's helpful.,
abadidea@dangoodin yes I appreciated it
Ryan Castellucci (they/them) 
@dangoodin There's nobody I'd rather have covering it.
Joshua Doll 🤷♂️@dangoodin thank you for this dan, and everyone else working on this.
your auntifa liza 🇵🇷 🦛 🦦this is a great recap. well done. thanks.
dazfuller 
@dangoodin brilliant write up, thank you
Ko-Fan Chen 陳克帆@dangoodin
I am looking at if my distribution is affected and come across this
https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/
Perhaps also useful for us layuser?
I am looking at if my distribution is affected and come across this
https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/
Perhaps also useful for us layuser?
gunstick@dangoodin the article szill says that the backdoor allows login. But in fact it allows remote code execution.
The payload is delivered as an ssh certificate. The login will fail, but the backdoor will read the certificate and extract the payload from there.
So there is never a remote login, but code can be run.
The payload is delivered as an ssh certificate. The login will fail, but the backdoor will read the certificate and extract the payload from there.
So there is never a remote login, but code can be run.
Thanks for pointing that out. I just reworked and am pretty sure I explained it better this time.
@dangoodin yes sounds good.
Jerry507@dangoodin I appreciate both the summary and the links to more details.
TheAnymouseProphet@dangoodin
I think there needs to be more work amongst Linux distros and other libre software projects to identify libraries and other software that are critical (lots of things use xz) but need funding, as I suspect a lack of funding for the developer is at least partially responsible for setting the stage for the events that transpired.
NosirrahSec 🏴☠️ guillotine enthusiast@dangoodin shared your article at work, but I may be like 1 of 4 people that care enough to read it lol
adingbatponder 
👾@dangoodin Thank you for this superlative run-down. Simply a fab piece. #XZ
sometimes ian@dangoodin this is a great summary. Thanks for sticking to what we know and keeping the speculation to a minimum!
Simon Carpentier@dangoodin It is. Thank you. Love your work 💜
FrUsHiAnTe 
@dangoodin viste esto @carloshr
🄯 CarlOS@fruchiante @dangoodin si he leído algo sobre eso.
Yo entiendo bien poco como funciona el sistema y los controles que hay para actualizar y liberar software open source, pero me parece que lo ocurrido demuestra que, a pesar de cualquier falencia, de una u otra manera funciona, porque se detectó antes de que fuera liberado de forma masiva.
Yo entiendo bien poco como funciona el sistema y los controles que hay para actualizar y liberar software open source, pero me parece que lo ocurrido demuestra que, a pesar de cualquier falencia, de una u otra manera funciona, porque se detectó antes de que fuera liberado de forma masiva.
Chris Who@dangoodin Thank you so much for this!
Brian Anderson (He/Him)@dangoodin well done.
Evan B🥥ehs@dangoodin Thanks for linking to my article, Dan!