| 29 Mar 2024 |
 clefru | Sorry ignore that.. I am tracking nixos-23.11 and not release-23.11 | 09:05:50 |
 hexa | https://www.openwall.com/lists/oss-security/2024/03/29/4 | 16:12:46 |
 syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 b) argv[0] needs to be /usr/sbin/sshd | 16:15:35 |
| syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
| 16:19:17 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1
| 16:20:24 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
| 16:21:00 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
Thank you hexa https://github.com/NixOS/nixpkgs/pull/300028
| 16:22:08 |
 Julien | Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there | 16:38:11 |
 vcunat | Because release tarballs need less dependencies to build. | 16:39:31 |
 raitobezarius | In reply to @julienmalka:matrix.org
Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there #security-discuss:nixos.org | 16:39:38 |
| vcunat | * Because release tarballs need less dependencies to build from. | 16:39:55 |
 tgerbet | And the source code tarball generated by GH automatically are not stable | 16:40:28 |
| vcunat | We have tools for that. | 16:40:55 |
| vcunat | Hashing the unpacked directory tree instead. | 16:41:07 |
| vcunat | Dependency on autoreconfHook can be bothersome, especially for packages involved in stdenv bootstrapping. | 16:41:42 |
|  moody joined the room. | 17:20:21 |
|  pareto-optimal-dev joined the room. | 17:25:15 |
|  mjm joined the room. | 17:26:08 |
| mjm | 17:31:16 |
|  Minijackson joined the room. | 17:33:44 |
|  Christian joined the room. | 17:38:47 |
|  hemant (he/they) joined the room. | 17:48:51 |
|  @bear454:librem.one joined the room. | 18:28:44 |
|  mattleon joined the room. | 18:31:48 |
|  robgssp joined the room. | 18:32:48 |
| @bear454:librem.one left the room. | 18:32:54 |
|  Dustin Plattner joined the room. | 18:45:10 |
|  brokenpip3 joined the room. | 18:48:08 |
 cleverca22 | In reply to @vcunat:matrix.org
Because release tarballs need less dependencies to build from. i suspect thats also part of the exploit chain
configure isnt in git, and has to be generated when making the release tarball
and users are trusting that configure was generated properly
| 19:09:45 |
| cleverca22 | so the critical piece in making it all work, isnt in git, and there is no evidence of it in the history | 19:10:05 |
