undefined | Better HN

0 pointsSAI_Peregrinus1y ago0 comments

If they hadn't been modifying SSH their users would never have been hit by this backdoor. Of course if it is actually intended to target SSH on Debian systems, the attacker would likely have picked a different dependency. But adding dependencies like Debian did here means that those dependencies aren't getting reviewed by the original authors. For security-critical software like OpenSSH such unaudited dependencies are prime targets for attacks like this.

0 comments

cassianoleal1y ago

My point was, this is not "Debian did a thing". Lots of other distros do the same thing. In this particular case, it was in fact fortunate for users of all these other distros that Debian did it, lest this vulnerability might have never been found!

Also, only users on sid (unstable) and maybe testing seem to have been affected. I doubt there are many Debian servers out there running sid.

Debian stable (bookworm) has xz-utils version 5.4.1: https://packages.debian.org/bookworm/xz-utils

saalweachter1y ago

I would phrase it as "It's good we have a heterogenous open-source community".

Monocrops are more vulnerable to disease because the same (biological) exploit works on the entire population. In our Linux biosphere where there are dozens of major, varied configurations sharing parts but not all of their code (and hundreds or thousands of minor variations), a given exploit is likely to fail somewhere, and that failure is likely to create a bug that someone can notice.

It's not foolproof, but it helps keep the ecosystem healthy.

fullstop1y ago

> Debian stable (bookworm) has xz-utils version 5.4.1: https://packages.debian.org/bookworm/xz-utils

Guess who released 5.4.1? JiaT75!

cassianoleal1y ago

5.4.1 doesn't even have the `m4/build-to-host.m4` script that pulls the backdoor's tarball.

https://salsa.debian.org/debian/xz-utils/-/tree/v5.4.1/m4

1 more reply

sitkack1y ago

It takes a village.

j / k navigate · click thread line to collapse

0 pointsSAI_Peregrinus1y ago0 comments

0 comments

cassianoleal1y ago

Also, only users on sid (unstable) and maybe testing seem to have been affected. I doubt there are many Debian servers out there running sid.

Debian stable (bookworm) has xz-utils version 5.4.1: https://packages.debian.org/bookworm/xz-utils

saalweachter1y ago

I would phrase it as "It's good we have a heterogenous open-source community".

It's not foolproof, but it helps keep the ecosystem healthy.

fullstop1y ago

> Debian stable (bookworm) has xz-utils version 5.4.1: https://packages.debian.org/bookworm/xz-utils

Guess who released 5.4.1? JiaT75!

cassianoleal1y ago

5.4.1 doesn't even have the `m4/build-to-host.m4` script that pulls the backdoor's tarball.

https://salsa.debian.org/debian/xz-utils/-/tree/v5.4.1/m4

1 more reply

sitkack1y ago

It takes a village.

j / k navigate · click thread line to collapse