Reflections on Distrusting xz

Scope of the xz Backdoor Fallout

  • Worries about unknown exploitation on build servers, developer machines, and embedded systems; attacker had ~1 month of exposure on some distro testing branches.
  • Some distros wiped/rebuilt build hosts and reverted or constrained xz; debate over whether this is “halting progress” or necessary security work.
  • Concern that the discovered SSH backdoor might be only one of multiple planted mechanisms, or that other actors might have similar “sleeper” positions elsewhere.

Dependencies, Attack Surface, and Isolation

  • Strong calls to minimize dependencies, especially trivial ones (e.g., color, .env, “rm -f” libraries), and to favor “do one thing well.”
  • Debate over containers: some see them as a useful blast-radius limiter; others argue real-world container images are opaque, hard-to-update blobs and worsen ops complexity.
  • Suggestions for stronger isolation: more security-oriented kernels, granular per-library permissions, sandboxes (process-based or WebAssembly), and Qubes-like compartmentalization.

Trust, Identities, and Nation-State Speculation

  • Thread heavily debates whether this was a nation-state attack; some find the multi‑year, high‑opsec pattern indicative, others say a skilled individual or criminal group could do it.
  • Big concern about “sleeper maintainers” across many projects, including in proprietary vendors; analogies to intelligence playbooks and financial/social pressure on underfunded maintainers.
  • Contentious argument about requiring “real identities” or government-backed credentials for maintainers; others stress that anonymity is legitimate and that identity proofs are easily faked.

What To Do with xz Now

  • Many argue for reverting to a “pre-attack” xz version, but there’s debate on how far back is safe given possible sockpuppets and the risk of history rewrites.
  • Some propose distrusting xz entirely and moving to alternatives (e.g., zstd), but note compatibility issues (APIs, existing .xz archives, Debian’s use as default compressor).
  • Others note xz is relatively small and stable, suggesting starting from a known-good release and selectively reapplying post-attack fixes.

Technical Concerns in the Code

  • Specific diffs (e.g., changes to dict_put / dict_put_safe) are examined; some see them as highly suspicious and potentially giving controlled out-of-bounds writes.
  • There is disagreement over whether these are definitively malicious or just risky/complex C optimizations that demand full call-site audits.
  • Emphasis that fuzzing and reproducible builds help but are not foolproof; disabling fuzzers under social pressure is highlighted as a key failure.

Social and Structural Problems in OSS

  • Repeated themes: single maintainer “bus factor,” burnout, mental health, and social-engineering via faux community pressure for “more features.”
  • Some advocate more funding (including possibly from governments or big tech) for critical infrastructure; others warn this could increase political/control risks.
  • Expectation of short-term overreaction (witch-hunts, performative review, more red tape) followed by regression to old habits unless deeper governance and maintainer-support issues are addressed.