Navigation
Recherche
|
What we need to take away from the XZ Backdoor (openSUSE News)
vendredi 12 avril 2024, 15:55 , par LWN.net
Dirk Mueller has posted a
lengthy analysis of the XZ backdoor on the openSUSE News site, with a focus on openSUSE's response. Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here.
https://lwn.net/Articles/969591/
|
56 sources (32 en français)
Date Actuelle
ven. 22 nov. - 00:31 CET
|