Comments by "Gilad Barlev" (@GSBarlev) on "Linux got wrecked by backdoor attack" video.

  1. To clarify, this attack didn't actually affect any production systems—every stable distro was at least two minor versions old, and no rolling release was built in a way such that to be vulnerable to the attack vector. The one system where this was out in the wild was... macOS systems with Homebrew. But don't let Tim Apple find out, or he'll try to block macs from "sideloading" software.
    1100
  2. Yeah, some state agency is extremely pissed right now that their op was busted after two years of work, and before their backdoor could actually make it into the wild.
    819
  3. Database programmers are a different breed, my dude.
    809
  4.  @LosFarmosCTL  Pretty sure you're right about Homebrew from what I've found—the general consensus appears to be that the FOSS world dodged a bullet by Freund discovering this in March and not May, by which point this version would have actually been deployed in the intended target—Ubuntu 24.04 LTS.
    183
  5. This 🐐 develops postgres for a living. With all the db exploits he's probably seen over the years, this was probably a giant snooze-fest for him.
    63
  6. Counterpoint: I'm surprised the NSA didn't notice this themselves: "Hey, there's this weird 500ms slowdown in our botnet playbooks. Someone needs to dig into that."
    16
  7.  @ArawnOfAnnwn  Because I actually watched the video and read the CVE and postmortems. The code fully open source and has a thousand people poring over every bit. The only distros affected were Sid, Tumbleweed and Rawhide, which are used almost exclusively for testing.
    8
  8.  @allanwilmath8226  Nah, I don't hate Apple (though I do like to blow them a few razzberries from time to time). As you can see from the follow-up discussion, it sounds like macs weren't any more vulnerable to this attack than Arch, and Homebrew took the bold step of knocking xz all the way back to 5.4 rather than produce a clean 5.6 build, so major kudos. My point, if I have one, is that we're all in this together, and this isn't a case where the messaging is really "haha 🐧 nerds got pwned."
    8
  9.  @nikhilchouhan1802  Even then it might not have been affected if the Arch build script clones the repo (which of thought was SOP for PKGBUILDs) instead of downloading the release tarball.
    4
  10. Then you need to pacman Syu. Arch isn't vulnerable to the malicious payload, but it's still not something you want on your system.
    2
  11. YouTube real-time metrics are fuzzy at best. Guarantee if you view the same video on five different browsers on three different machines, they'll each report different numbers.
    2
  12. Make sure to upgrade xz to 5.6.1-2 or above. Arch isn't vulnerable to this attack vector, but do it anyway just to be sure.
    1
  13. Especially the theory that it was a social engineering attack where "Jia" created a bunch of sock puppets to harass the xz project owner into burning out (and handing the keys over to a "trusted co-maintainer").
    1