Gregory's Server
Red Hatter rwmj on https://news.ycombinator.com/item?id=39866275:
> the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor […]
> He has been part of the xz project for 2 years, adding all sorts of binary test files
> with this level of sophistication I would be suspicious of even older versions of xz
Also, PSA for people who are immediately triggered by the word "systemd", partially blaming it for the issue:
No.
Some distros patch OpenSSH to link to libsystemd to call https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html to notify systemd about startup completion.
libsystemd then links to the backdoored lzma for other things.
But OpenSSH could've implemented the notification on its own. It's literally "send a line into a socket", only a few lines of code, even in C.
https://chaos.social/@smrqdt/112180465514002100
https://news.ycombinator.com/item?id=39866076
Also, PSA for people who are immediately triggered by the word "systemd", partially blaming it for the issue:
No.
Some distros patch OpenSSH to link to libsystemd to call https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html to notify systemd about startup completion.
libsystemd then links to the backdoored lzma for other things.