undefined | Better HN

0 pointsA1kmm1y ago0 comments

Looks like GitHub has suspended access to the repository, which while it protects against people accidentally compiling and using the code, but certainly complicates forensic analysis for anyone who doesn't have a clone or access to history (which is what I think a lot of people will be doing now to understand their exposure).

0 comments

A1kmmOP1y ago

It looks like git clone https://git.tukaani.org/xz.git still works for now (note: you will obviously be cloning malware if you do this) - that is, however, trusting the project infrastructure that compromised maintainers could have had access to, so I'm not sure if it is unmodified.

HEAD (git rev-parse HEAD) on my result of doing that is currently 0b99783d63f27606936bb79a16c52d0d70c0b56f, and it does have commits people have referenced as being part of the backdoor in it.

gpm1y ago

Apparently there's a wayback machine for git repos and it "just coincidentally" archived this repo the day before the news broke:

https://archive.softwareheritage.org/browse/origin/visits/?o...

pabs31y ago

That was me. I'm part of ArchiveTeam and Software Heritage and I'm one of the Debian sysadmins, the latter got some advanced notice. I figured archives of xz related stuff would be important once the news broke, so I saved the xz website and the GitHub repos. I regret that I didn't think to join the upstream IRC channel and archive the rest of the tukaani.org domain, nor archive the git.tukaani.org repos. Been archiving links from these threads ever since the news broke.

1 more reply

gowthamgts121y ago

> https://git.tukaani.org/xz.git

it's throwing 403 now.

amszmidt1y ago

Works cloning though.

gpm1y ago

Well that's inconvenient, I was (probably, time permitting) going to propose to some of my friends that we attempt to reverse this for fun tomorrow.

Anyone have a link to the git history? I guess we can use the ubuntu tarball for the evil version.

j / k navigate · click thread line to collapse

0 comments

A1kmmOP1y ago

HEAD (git rev-parse HEAD) on my result of doing that is currently 0b99783d63f27606936bb79a16c52d0d70c0b56f, and it does have commits people have referenced as being part of the backdoor in it.

gpm1y ago

Apparently there's a wayback machine for git repos and it "just coincidentally" archived this repo the day before the news broke:

https://archive.softwareheritage.org/browse/origin/visits/?o...

pabs31y ago

1 more reply

gowthamgts121y ago

> https://git.tukaani.org/xz.git

it's throwing 403 now.

amszmidt1y ago

Works cloning though.

gpm1y ago

Well that's inconvenient, I was (probably, time permitting) going to propose to some of my friends that we attempt to reverse this for fun tomorrow.

Anyone have a link to the git history? I guess we can use the ubuntu tarball for the evil version.

j / k navigate · click thread line to collapse