[eng] xz backdoor readings
List of readings to understand the scope of the xz backdoor situation.
Original finding by Andres Freund. This is the primary source.
Tukaani blog where Lasse, the original maintainer, is sending updates. (Tukaani is the group that created and maintains xz)
GitHub actors involved:
- Lasse Collin, the original xz maintainer
- "Jia Tan", the primary bad actor
- "Hans Jansen", who also seems to aid in added sus code, and disappears. There's discussions about whether this is just an alt for "Jia Tan".
This is the current official xz repo, that the original contributor Lasse has already started adding patches to:
git clone https://git.tukaani.org/xz.git xz-tukaani
Good summaries:
- Timeline with some useful contexts, mailing list participation by these actors, etc
- Simplified write-up with tons of discussion
Discussions:
- Hacker News thread
- Link - one of the more active threads in that thread
- r/Linux
- r/Linux
Official bugs/reports:
- Debian bug to request reverting the xz version
- GitHub issue on the official GitHub repo about this situation, before GitHub disabled the repo.
- ArchLinux announcement
- Red Hat announcement
- Gentoo
- libarchive dealing with every commit made by "Jia Tan", one-by-one
Context:
- [Link] Original author talking about their burnout, maintainer burden, and their first mention of Jia Tan
- [Link] Random actor pushing for xz upgrades. Shows up for two messages and disappears.
- [Link] Another actor, Jigar Kumar, who also spends some time pressuring for Jia to get commit access, and disappears.
- [Link] Yet another actor, Dennis Ens, who also pressures Lasse and bunch and disappears
- LKML Lasse responds
- Mastodon Andres talking about what it took to happen to discover this issue
The hack:
- Initial request from Jia Tan asking to have xz bumped in Debian
- [Link] - getting the version of xz built by oss-fuzz to build without ifunc, since that would reveal issues
- Links to the sus commits are in the original findings, as well as further discussions