The discovery of a backdoor in XZ Utils in the spring of 2024 shocked the open source community, raising critical questions about software supply chain security. This post explores whether better Debian packaging practices could have detected this threat, offering a guide to auditing packages and suggesting future improvements.\n

How did the changes in the binary test files tests/files/bad-3-corrupt_lzma2.xz and tests/files/good-large_compressed.lzma, and the makefile change in m4/build-to-host.m4) manifest to the Debian maintainer? Was there a chance of noticing something odd?

  • moonpiedumplings@programming.dev
    5·
    8 days ago

    Author has some good thoughts, but it’s important to mention that the xz backdoor did not make it into debian stable, only sid.

    Debian already had policies to handle stuff like this, which is how bookworm wasn’t affected.

    • Otto@programming.devOP
      2·
      7 days ago

      There was a bunch of luck involved that Andres Freund detected this. Give more time, it would have ended up in stable releases eventually if not detected.