The PR for changing compression libraries to use dlopen() was opened several wee...

blueflow · 2024-04-12T17:25:22.000000Z

Then its good the systemd team changed their minds even if its a decade late.

cratermoon · 2024-04-12T17:42:25.000000Z

"Jia Tan" was pushing hard to get systemd updated to use the new xz because he saw this change in progress and wanted to get it in a release before this went through.

dralley · 2024-04-12T18:31:25.000000Z

No they weren't. Jia Tan has never interacted with the systemd developers in any way as far as I know.

It isn't systemd's decision what version of xz-utils to use, it's the distro's decision. And Jia Tan did push the distro maintainers to update xz-utils, but the systemd developers have absolutely nothing to do with that, so your statement is incorrect.

cratermoon · 2024-04-14T15:06:16.000000Z

You're correct, and I was overly vague. The key observation is "Kevin Beaumont speculates that knowing this was on the way may have accelerated the attacker’s schedule" Here's the exact wording, from Russ Cox:

2024-02-29: On GitHub, @teknoraver sends pull request to stop linking liblzma into libsystemd. It appears that this would have defeated the attack. Kevin Beaumont speculates that knowing this was on the way may have accelerated the attacker’s schedule. @teknoraver commented on HN that the liblzma PR was one in a series of dependency slimming changes for libsystemd; there were two mentions of it in late January. https://research.swtch.com/xz-timeline

See also previously on HN: https://news.ycombinator.com/item?id=39916125

Denvercoder9 · 2024-04-12T17:57:41.000000Z

Do you have a source for that? The backdoor was added to a minor release without a SONAME change, and generally such updates are done by distributions and not something upstreams concern themselves with.

panick21_ · 2024-04-12T20:30:46.000000Z

It was mentioned in the recent Oxide and Friends podcast with the guy who, discovered the backdoor. Maybe there is a link there somewhere.

Denvercoder9 · 2024-04-12T21:02:10.000000Z

I'm not going to listen to a 1.5 hour podcast to find the exact quote, but someone must've misspoke or misunderstood. I did some searching in the meantime, but there's no evidence at all of "Jia Tan" interacting with the systemd developers. They pressured distributions to update xz-utils, but not systemd upstream.

panick21_ · 2024-04-12T23:14:33.000000Z

That may be true, but that wasn't the claim. The claim was changes in upstream systemd would limit the timeline for them. Not that they had interaction with each other.

The podcast is interesting either way.

throwaway7356 · 2024-04-13T08:33:22.000000Z

The claim here was this:

> "Jia Tan" was pushing hard to get systemd updated to use the new xz

Which is different from your claim "changes in upstream systemd would limit the timeline for them"

cratermoon · 2024-04-14T15:08:48.000000Z

I can't edit my original comment, so I added the following correction https://news.ycombinator.com/item?id=40031620

Apologies for any misunderstanding.

blueflow · 2024-04-12T21:03:22.000000Z

You could link the systemd issue.

bcrl · 2024-04-12T17:58:11.000000Z

Why does an init replacement even need a compression library built into it? At some point the bloat is more risk than feature.

panick21_ · 2024-04-12T20:31:46.000000Z

I guess this has to be said, for the another billion times, systemd is not and has never been 'only' an init replacement. And even earlier 'init' systems did more then init.

NekkoDroid · 2024-04-14T17:30:53.000000Z

Just because you call it an "init replacement" doesn't only make it that, it describes itself as a "system and service manager" which should clue you in, that (de)compressing stuff is something that is commonly done during system management.