[Discuss] Debian 12 in the Cloud

[kentborg at borg.org (Kent Borg)]

On 5/31/24 06:37, markw at mohawksoft.com wrote:
> The xz thing is totally different. That was a masterful bit of espionage.
> It was two years in the making, and if we don't think this is elsewhere as
> well, unrelated to systemd, then I'm sure we are kidding ourselves.

The xz thing was, indeed, masterfully done! I hate to say it, by I have 
admiration for them. They slipped the bad code into .m4 files, that were 
part of test code, or something like that. How many people know M4? And 
it's just test code, and the project needs the help, this contributor 
has done good work?

Very impressive stuff. I am very sympathetic to the plight of the xz 
people. See https://imgs.xkcd.com/comics/dependency.png

But how in the hell could a compromise of xz put a backdoor into sshd?? 
Because systemd patches sshd?because systemd.

The ssh people are very careful, ssh is very important, so I am glad 
they are careful. But when someone *else* starts patching sshd, because 
are building some big, complicated, sloppy OS within an OS, I want 
nothing to do with it. And I have no sympathy for their role in this.

-kb


P.S. I love the idea of wondering how much good open source work is done 
by major intelligence agencies as part of schemes like this. How much 
really good ssh work is being done today by such organizations hoping to 
slip something nasty in in the future?