On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe <matthiaskoe...@gmail.com> wrote: > > Workaround with the Sage distribution: "./configure --without-system-liblzma > --without-system-xz" > (Our xz package dates back from before the attackers were born;) > > Incidentally, the cryptographic protection of the Sage distribution is wildly > insufficient. > I've opened https://github.com/sagemath/sage/issues/37691 for this -- any > takers?
I'd switch to sha256. And require PGP-signed commits, etc. well, I can't even comment on that issue :-) > > > On Friday, March 29, 2024 at 12:18:24 PM UTC-7 Dima Pasechnik wrote: >> >> https://www.openwall.com/lists/oss-security/2024/03/29/4 >> >> if your have xz 5.6.0 or 5.6.1 installed (e.g. Debian testing/unstable) >> you have a backdoored xz. > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sage-devel/d75e7cc9-9743-4c20-b502-431d400dc5f2n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CAAWYfq3zGy3RRBaUpi_rS57dG7s6fP5i78K2Pseyw5paN6_roQ%40mail.gmail.com.
