Xz Utils Backdoor
Posted15 days agoActive13 days ago
en.wikipedia.orgSecuritystory
heatednegative
Debate
80/100
Code VulnerabilitiesOpen-Source SoftwareLinux
Key topics
Code Vulnerabilities
Open-Source Software
Linux
Discussion Activity
Moderate engagementFirst comment
15m
Peak period
10
0-2h
Avg / period
3.5
Key moments
- 01Story posted
Dec 19, 2025 at 9:19 AM EST
15 days ago
Step 01 - 02First comment
Dec 19, 2025 at 9:34 AM EST
15m after posting
Step 02 - 03Peak activity
10 comments in 0-2h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 20, 2025 at 11:37 AM EST
13 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 46326120Type: storyLast synced: 12/19/2025, 2:45:41 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Who vets contributors and maintainers?
Answer: Unknown in many (if not most) cases.
A human name is not required for legal accountability.
A human name is required in order to be legally employed.
None of this applies to open source in most cases.
Yes, installing software of "unknown origin" is a gaping security hole --- whether FOSS or not.
The fact that some people do dumb stuff does not negate the fact that a lot (if not most) FOSS fits in this category.
> Anonymity is the unique aspect of open source that opens the door for malicious activity without consequences.
If you'd like to amend to something like
> Anonymity, which is in play for most FOSS and a decent chunk of proprietary software, opens the door for malicious activity without consequences.
Then I wouldn't strongly disagree. I'm still a little skeptical, because people keep finding backdoors in non-FOSS software/firmware, of course, but it'd at least be a defensible claim. I'm only really objecting to the notion that this is unique to FOSS.
Just like there's basically no reputational harm anymore for leaking all your users details for most leaks
This ideal obviously did not happen here.
And there are no consequences for those who fail to do so.
Classic Debian security management
Do you have many more examples to call that a "classic" Debian security behaviour?
Not Slackware since Slackware does not patch ssh or xz or many other utilities. Plus it does not use systemd. From what I remember that patch was put in to give systemd extra functionality.
This wasn't exactly necessary since the protocol has been stable for external use for ages (since its inception IIRC) and is relatively trivial to implement.
Since the attack happened openssh gained native support for the sd-notify protocol, the sd-notify man page has an example implementation that is freely usable and libsystemd now only loads xz (and most of its other libraries) when explicitly requested by one of the tools via `dlopen`.
I worked at a company that got red teamed. The pen testers were inside the network and were only found by a random employee who happened to be running little snitch and got a weird pop-up
Nobody celebrated the fact that the intrusion was detected. It was pure luck, too late, and the entire infosec leadership was fired as a result.
Like this xv issue, none of the usual systems meant to detect this attack seemed to work, and it was only due to the diligence of a single person unrelated to the project was it not a complete show.
It's an old legacy technology that needs to die out from all forms of distributions (looking at you GNU)