• Thurstylark@lemm.ee
    link
    fedilink
    English
    arrow-up
    41
    ·
    8 months ago

    Me: fixes exposure to vuln

    Also me: grabs popcorn

    This is going to be an interesting story once this all quiets down…

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      48
      ·
      edit-2
      8 months ago

      Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

      And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.

      • SuperIce@lemmy.world
        link
        fedilink
        English
        arrow-up
        19
        ·
        8 months ago

        Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.

      • Brunacho@scribe.disroot.org
        link
        fedilink
        English
        arrow-up
        10
        ·
        8 months ago

        Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

        gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.

      • Thurstylark@lemm.ee
        link
        fedilink
        English
        arrow-up
        10
        ·
        8 months ago

        Running Arch, so not really exposed, but still had a compromised version installed.