On Fri, Mar 29, 2024 at 12:08 PM Richard W.M. Jones <rjones(a)redhat.com> wrote:
On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel
wrote:
> Hi,
>
> wow:
https://www.openwall.com/lists/oss-security/2024/
>
> I think at this point we clearly cannot trust xz upstream anymore and should
> probably fork the project.
I kind of agree here, though it saddens me to say it. Any commit or
release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
otherwise, and those go back 2 or more years.
Rich.
[1] Putting quotes here because those are almost certainly not real
peoples' names.
That github user has also committed to libarchive, although not since
November 2021.
--
Jerry James
http://www.jamezone.org/