Rethink Security

xz

backdoor security xz utils tools oss software

Estimated reading time: 1 minutes

For various reasons I wasn’t able to write a summary for 2023. But if I had known then what to expect in 2024 with the current xz/liblzma1, I would have written a modified version of Wilhelm Hey’s “Alle Jahre wieder”2 instead of the recap.

As for the vulnerability itself, there are already a number of blogs on the subject, the best known being by Evan Boehs3 and Bruce Schneier4.

My two cents? Yes, open source, like any software, can be backdoored (and abused). The good news? Unlike closed-source software, such backdoors can be found and fixed quickly. The bad news? Many projects, even those widely used in industry, are managed by individual developers, usually without compensation.

As always, a picture is worth a thousand words:

https://xkcd.com/2347/
source:https://imgs.xkcd.com/comics/dependency.png

Let’s update that a litte bit:

refined from https://xkcd.com/2347/
Should corpos really build their infrastructure like this?

And finally, to all free software developers: DO NOT let others (especially large corporations) demand things from you, in particular if they take your work for granted without paying for it!

  1. https://www.openwall.com/lists/oss-security/2024/03/29/4 ↩︎

  2. translates to “Every year again” ↩︎

  3. https://boehs.org/node/everything-i-know-about-the-xz-backdoor ↩︎

  4. https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html ↩︎