[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Backdoor in upstream xz-utils
From: |
Ricardo Wurmus |
Subject: |
Re: Backdoor in upstream xz-utils |
Date: |
Sat, 30 Mar 2024 22:02:27 +0100 |
User-agent: |
mu4e 1.10.8; emacs 29.1 |
Tomas Volf <~@wolfsden.cz> writes:
> On 2024-03-29 13:39:59 -0700, Felix Lechner via Development of GNU Guix and
> the GNU System distribution. wrote:
>> > Is there a way we can blacklist known bad versions?
>>
>> Having said all that, I am not sure Guix is affected.
>>
>> On my systems, the 'detect.sh' script shows no referece to liblzma in
>> sshd. Everyone, please send additional reports.
>
> If nothing else, our xz is at 5.2.8. I think the question was if there is a
> way
> to blacklist specific known tarball to ensure no-one updates to it by
> accident.
The properties field on a package definition can be used to record
arbitrary information, which could be read by `guix lint`.
--
Ricardo