Talk:XZ Utils

Implementation section doesn't discuss underlying implementation

Instead, it's literally just a manual page for the command line interface.2600:1015:B128:AD42:10F0:916:7055:A3DE (talk) 07:59, 15 February 2019 (UTC)

Yep. I have renamed the section to Usage. —Fezzy1347^{Let's chat} 21:25, 5 February 2021 (UTC)

Add warning for usage given the compromised upstream code

Debian has located a major vulnerability in the code and shown that the liblzma code base in compromised. I think the wiki article should reference this.

Relevant Link https://www.openwall.com/lists/oss-security/2024/03/29/4 Vigh m (talk) 17:09, 29 March 2024 (UTC)

I second this. It's probably worth noting that many affected distributions have released patches for it, however at this stage nobody knows a whole lot about what's happened as far as I can see.

Archlinux announcement: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Debian stable announcement: https://lists.debian.org/debian-security-announce/2024/msg00057.html

RedHat announcement (relevant to RHEL, Fedora): https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Pave unpaved (talk) 06:51, 30 March 2024 (UTC)

I added Alpine Linux to the list of affected Linux distros, but I'm not sure whether to include the page within their security database (https://security.alpinelinux.org/vuln/CVE-2024-3094), or the affected commit (https://gitlab.alpinelinux.org/alpine/aports/-/commit/11bc4fbf6b6fe935f77e45706b1b8a2923b2b203). I cited the latter, but should I change it to the page in the security database? Mintphin (talk) 16:35, 30 March 2024 (UTC)

After some talk with people involved in the project, Alpine is unaffected due to the attack using a function implemented in glibc but not on musl libc, which Alpine uses. Mintphin (talk) 16:48, 30 March 2024 (UTC)

I think this chapter should be split into a different page. This probably satisfies the conditions for Wikipedia:WHENSPLIT:

• There's still more information on this incident that could be added as it is a current event. This section already takes 3 whole paragraphs and it can take more. Wikipedia:SIZESPLIT
• Other relevant information such as the identity of the attacker(s?) and their activity timeline could be added. This information is distinct enough from the XZ Utils itself Wikipedia:CONSPLIT

Abogical (talk) 02:37, 31 March 2024 (UTC)

I don't think 3 paragraphs warrants a split, however, it might warrant a split if there is more coverage. Sohom (talk) 06:16, 31 March 2024 (UTC)

Agreed with the above, this isn't at the level as something like Log4Shell yet. Keeping it in the article is fine. PolarManne (talk) 15:50, 31 March 2024 (UTC)

I support the split, this seems pretty significant, one of the most important supply chain attack incidents, interesting details and coverage keeps surfacing and there are more to come it seems, and there is already enough coverage to add more things that makes it distinct enough to an article I think. Tehonk (talk) 19:42, 31 March 2024 (UTC)

The split is probably going to be necessary once people make a name/logo and all.

In other news: I just blocked out the stable release field in the infobox. If I can find confirmation from a safe source that there is a latest safe version I'll let you know, but the bad actor's been working on this for a year and a half.. ItzSwirlz (talk) 00:08, 1 April 2024 (UTC)

xz format

xz format: https://news.ycombinator.com/item?id=39873112

can it be added to corresponding section? 176.52.113.35 (talk) 15:51, 31 March 2024 (UTC)