Nice takeaway for all big tech companys:
"You want me to work a certain way, I am more than happy to do it. But to do that, I am going to have to become a supplier. Which means you are going to have to start to pay me. [...] Until then, I am not your supplier. [...] You are not buying from a supplier, you are a raccoon digging through dumpsters for free code. So I would advise you to put these rules in the same dumpster. And remember. I am not a supplier. Because

THIS SOFTWARE IS PROVIDED 'AS IS'
"
@Di4na #FOSS #OpenSource #FreeSoftware #SoftwareDevelopment

For those asking what systemd change, easy write up: https://github.com/systemd/systemd/issues/32028

It was in train before the XZ issue was discovered, which may be why the threat actor sped up, started making mistakes and started begging distros to upgrade XZ - as what looks to be years of planning was about to be flushed down the pan.

Also since there’s a lot going on here, up thread I mentioned a 2015 minor bug in Google’s OSS Fuzzer (security testing tool) - the threat actor deliberately introduced the bugged function into XZ, then used that to get an exception in OSS Fuzzer’s code to stop scanning of XZ.

I’ve just been looking at the actual backdoor for a few hours with greater minds than me, it’s incredibly complex - it basically piggy backs RSA key RCE inside sshd as a Trojan horse. Somebody/bodies spent $$ on this.

Also, to be super clear nobody should panic about #XZ as the Postgres developer who found this basically caught it quick enough that almost no businesses or devices will be running the code.

So everybody should be chill about this specific issue as that guy saved everybody’s bacon.

To give an idea of the scale of OpenSSH usage, it’s absolutely huge, it dwarfs RDP by a huge margin (think ten times), and had this survived for a long period of time it would have been unbelievably bad.