#update system and XZ or not

I checked I'm on XZ version 5.4.4, should I pacman -Syu or will I give myself a backdoor?

Arch news says xz 5.6.1-2 does not contain the backdoor

However, there are still commits made by Jia Tan.

To that package?

Can I update my system without in including that 5.6.1-2?

I'm the kind of person that prefers to avoid all together

Esp coz I went to Linux coz "malware is less of an issue" lol

jia started committing since 5.3.2

It's basically impossible to avoid this actor's commits, because too much has changed since that version (2 years ago). It breaks packages that depend on xz

I was unable to downgrade below 5.4.2 on my system, so this is the situation.

This gist documents some aspects of the xz backdoor. https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Is this the same with all Linux distro?

But the backdoor "problem" only popped up in the last few commits

Yeah it says likey 5.6.0 and 5.6.1 so I can't just upgrade and avoid that hey

I want to upgrade normal stuff like discord so I can use it instead of my mobile haha

Yeah, it's safe to use 5.6.2-1

Read the documentation. The actor slowly added infrastructure for the backdoor, it wasn't just a few commits. On the other hand, it only targets Debian or Redhat-derived systems.

Still reading

Through phone

So is there a way to upgrade without the package and or is there a Linux which doesn't use it

What about macos wonder if t was affected

Wild stuff, I feel weird being on Linux now

You probably don't use XZ much, but many programs depend on it. Just check the output of pacman -Rs -p xz (don't run it as root and don't forget -p). And there are also second level dependencies on this package.

And that's probably why xz was chosen, it was relatively obscure, widely used and dependent on.

Arch isn't linked to the thing anyway Soo should be safe but

I'm still not wanting to update haha

And I guess Mac is just fine

The whole way thru

IMO it's no longer worth worrying about this backdoor because it's been exposed. I would be more concerned about these potential backdoors in many other similar widely used libraries. This attack may just be the tip of the iceberg.

Or could it give ideas to bad people in the future etc

I think everything on my system works except discord and timeshift which is infinitely currently reporting ???? As time remaining for 2 hours

I may just try to update discord only and move on lol

Well, probably move on, unless you want to go down the rabbit hole of trusting trust.

I see

Don't only update just parts of your system. You can safely update your whole system.

.aw partial upgrades

.aw partial upgrade