Comment by TZubiri
2 days ago
>workflow that shipped the libxz backdoor to everyone
Isn't it the case that it didn't ship the backdoor? Precisely because of the thorough testing and vetting process?
2 days ago
>workflow that shipped the libxz backdoor to everyone
Isn't it the case that it didn't ship the backdoor? Precisely because of the thorough testing and vetting process?
No, it shipped in Debian Sid, OpenSUSE Tumbleweed and Fedora Rawhide, along with beta versions of Ubuntu 24.04 and Fedora 40. Arch also shipped it but the code looked for rpm/apt distros so the payload didn’t trigger.
It was caught by a Postgres developer who noticed strange performance on their Debian Sid system, not by anyone involved with the distro packaging process.
In other words, it didn't hit any people running Stable distros, only users on Beta versions or rolling releases.
Sounds like an improvement - having beta builds for people to catch those before they arrive in a stable GNU distribution seems the ideal workflow at glance.
On top of that the number of such issues is tiny compared to language distros.
Distro packaging is not perfect, but it is much, much better.
App devs are part of the distro release process. They verify stability with other packages.
It's OS, it's a collab endeavour