daniel:// stenberg://Apr 2, 2024

There simply is no established or easy way to detect backdoors done the #xz way. We give powers and trust to maintainers because that is the development model.

Anyone suggesting there is an easy fix has not understood the issues at hand.

But we are Open Source which allows everyone to dig, check, read code and investigate.

Show threadfederico Apr 2, 2024
@bagder It is difficult but the xz incident is also a success story: the backdoor was spotted before landing in stable Linux distributions.
#xz was probably chosen due to the presence of a corrupted xz file as part of the tests making it an ideal candidate for hiding data. In cryptography there are https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number - the same principle could be used to reject mysterious blobs from codebases. Yet many "bugdoors" can be introduced by creating subtle vulnerabilities and that's difficult to spot.
Nothing-up-my-sleeve number - Wikipedia

Show threaddaniel:// stenberg://
@federico3 yes, the xz backdoor was spotted, but we don't know how many others we have not spotted (yet). xz was in many ways an ideal target for this attack, but I imagine that there are many others as well, even if they would need slightly tweaked approaches
Apr 2, 2024 at 3:55pmWeb