Debian on xz-utils: revert to version that does not contain changes by bad actor
Compression format choices (xz, zstd, lzip)
- Some argue it’s time to move away from xz: long-term maintainer issues, now a backdoor, and better options exist.
- zstd is proposed as a replacement: much faster, slightly worse compression (often ~5–10% larger), but many see that as a good trade for speed and maintainability.
- Others note xz was originally chosen before zstd existed and still wins on maximum compression ratio, which matters for distro packages and archival.
- Lzip is suggested as “same algorithm, simpler format,” but criticized for single-maintainer risk, no public VCS, and minimal process; several commenters see that as repeating the same governance problem.
Backdoor mechanics and impact
- Consensus that this was clearly intentional, not a bug:
- Payload hidden in “test” binaries and build scripts, only active in release tarballs.
- Triggered only under specific conditions, targeting sshd via libsystemd → liblzma linkage.
- Uses dynamic linker tricks (e.g., GNU_IFUNC) to intercept sshd functions.
- SSH compression features themselves are unrelated; the link is purely via dependency chains.
- Discovery is seen as somewhat lucky; many fear additional subtle issues in the ~2 years of commits.
Attribution and attacker identity
- Strong disagreement over labeling the actor as “Chinese” or any specific nationality.
- Evidence cited: username style, time zones, language; countered by the point that multiple fake personas (Chinese, Indian, Scandinavian, Russian-sounding) appear, likely as misdirection.
- Overall, attribution is considered unclear and possibly intentionally obfuscated.
Funding, maintainership, and governance
- Widespread concern that critical infrastructure is maintained by one or two overworked volunteers.
- Some call for big tech / governments to fund full-time maintainers or rewrite infrastructure; others note such funding could still flow to a malicious maintainer.
- Debate over whether distros should depend on such low-level libraries with weak governance, and whether xz should be kept or replaced rather than auditing all recent work.
Security models, tooling, and process
- Discussion of LTS vs bleeding-edge: stable users avoided this specific incident but may run unrecognized vulnerabilities longer.
- Debian model (stable/testing/sid) praised as a middle ground, but testing can stay broken longer.
- Some emphasize hardening build processes (simpler builds, fewer autoconf-style scripts) over language changes; others argue memory-safe ecosystems (e.g., Rust) modestly raise the bar, though they introduce their own supply-chain risks (many dependencies, build scripts).
Identity verification and anonymous contributors
- Proposals: verified IDs via platforms, national ID, or employer verification for high-impact projects.
- Objections: privacy, feasibility across countries, state actors can forge IDs, and barriers to legitimate contributors.
- No clear consensus; many see better review and tooling as more realistic than identity-based controls.
Future of xz and ecosystem effects
- Some Debian developers and commenters question whether xz should remain in archives given maintainer and trust issues when zstd or others are available.
- Concern that other platforms (e.g., those using libarchive) might be indirectly exposed, though specific impact is unclear in the thread.