No argument from me. That JiaTan dude had other projects forked he was
looking at. And none of them are good news. zstd. lz4. libarchive.
squashfs-tools. But still, I think its good news if people already
figured how to turn it off in a few days.
On 4/1/2024 1:36 AM, Michael Orlitzky wrote:
On Mon, 2024-04-01 at 01:32 +0300, Alexandru N. Barloiu wrote:
https://piaille.fr/@zeno/112185928685603910
There's an ENV var you can set that is a kill switch for the whole thing :)
For the part that we found :)
The author of the backdoor had commit access to the upstream repository
for a long time:
https://git.tukaani.org/?p=xz.git;a=search;s=Jia+Tan;st=author
Personally I would be skeptical of running any version of any package
that he has touched.
