From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id SAg3GRfCC2YBmgAAqHPOHw:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 02 Apr 2024 10:30:15 +0200
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0.migadu.com with LMTPS
	id SAg3GRfCC2YBmgAAqHPOHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 02 Apr 2024 10:30:15 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b="a9PpV6e/";
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712046615; a=rsa-sha256; cv=none;
	b=bEMWHIYGIFuw0XugxMTbpwJcpSAVuBftVkFgdbDY14eKFXbhChT1N/LAcPTGCEcRwssHAb
	+Lzgk0wQaoIQqs45gkklKUD8A/QZSnXtqbiIvZEf6cppAD8CHnM/gr0ALrYiQ9q2owakc+
	BZKIUT8C2aWFjDL4N1uQUSVOz4O8fOQGCzICgO4pUQXDBrk9dcibFGNzNnLeT3iRj+cjAL
	rHTORFGQiLPzUcqyIWmU3w7T2kGizl/unSYX5czCvf2qytI7SweZgKc+dViYfyozTTO3B5
	Vf0oQJQCF/gPtAzp8m01KJJuaM0NrIgXCZTMeyF7hKsF/pYu7t2jNcTU1n10hA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b="a9PpV6e/";
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1712046615;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=maZgMcnQmust9ZsOodPryIJ+LibROmUw6F7JqULnEyE=;
	b=QQc5RKDvZQDshV8G8jdFPZXgARnRxujeOKakBm/IvGXdKPZBzbYXA/1Vq//df3OHTJtMjO
	Wz3g8FqNH5ROXME/8WqxiE8i2SU90GuLjgWUQOH1h3fX0asWvtInie3d9foI04icVQHSwU
	ztKBqsWJGUI4NLuDGOz/DGtqqmyEjzu6G3n/GMdA6tTavGhXqHvLmSgXDokmX+Z4x+D5Yq
	l1zD7fv9lCtP1p50e1xjhBBlDb2rXpZA0vgM2eHSddsBpDj9FFdJXjjG8kHdnLIs/Cu4R3
	bc2tR0D0Thj7V6tEjeC4hxUKwBkrT0dDV4bHLM+uIlHyfvDMhx28QrRKtV+dlw==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 340A224150
	for <larch@yhetil.org>; Tue,  2 Apr 2024 10:30:15 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rrZWU-0008Vb-38; Tue, 02 Apr 2024 04:29:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <adanskana@gmail.com>)
 id 1rrZWT-0008V9-6E
 for guix-devel@gnu.org; Tue, 02 Apr 2024 04:29:37 -0400
Received: from mail-pf1-x42d.google.com ([2607:f8b0:4864:20::42d])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <adanskana@gmail.com>)
 id 1rrZWG-0005Jg-Mo
 for guix-devel@gnu.org; Tue, 02 Apr 2024 04:29:36 -0400
Received: by mail-pf1-x42d.google.com with SMTP id
 d2e1a72fcca58-6eafbcc5392so1992035b3a.1
 for <guix-devel@gnu.org>; Tue, 02 Apr 2024 01:29:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1712046561; x=1712651361; darn=gnu.org;
 h=mime-version:references:in-reply-to:message-id:cc:to:subject:from
 :date:from:to:cc:subject:date:message-id:reply-to;
 bh=maZgMcnQmust9ZsOodPryIJ+LibROmUw6F7JqULnEyE=;
 b=a9PpV6e/rj/2/sl4Mf6bUhbb0wibbThHifr1U+ziQ1X0RP0l2j3zyv0GGPGYs45bsv
 cniKo/q5p6U1jx8ktCNzSkcEH/LkOszo+sd/tYJESZjgynf9KhkvHmLNuIaOQZRA2JZv
 OByBBgCBDiowZ2oUGcB2PbPZkKHkc+omqDD+cclxInaMnbRGSoYgWvJ5uSgJpsLa0kYc
 YZ9D2XEyDYuf0qicRz9yyu8qzkrzq1SxCcVHjEZoqcQWP8J/Eto7GeJDKt+d0XTu4kDR
 M4IdesxV5FqoSsXSkuSHzadln0e0a0+42vOSCpcxZTbUwqJU+3tDgwo+gvVZKKq7O4uB
 bIqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712046561; x=1712651361;
 h=mime-version:references:in-reply-to:message-id:cc:to:subject:from
 :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=maZgMcnQmust9ZsOodPryIJ+LibROmUw6F7JqULnEyE=;
 b=hYaNOsIKo9CkCC2ABY3qbWJPVGBI7sFNMSdMnaSuGPLRePMAgY1RjgZ8qqlZPqetih
 EU38AWON2KMjDHve7gOZ0CfkDf0K/K8/Vt+uzzPgYG53/OqFJGiGw7eyTTPC+zDTTP5/
 6PDfCEfYzVNGSkSiP8S1B35f+r4qiJfjIYLFvCw/h+E/uc82RAUZG59J0siYVocXbZxt
 Qe831HbRnHrpaan7vlk7Oaa8TPgnXQ07yLZt+f0OU6o5Q46I4CsjKj32d0vrTJR6ZpS4
 qSvtVO4rlPcAS8O+KkRlY88OwFxZ0779S0OvdixB6unEiK7OVasMJKAYxgm95Lx5CGqA
 TItw==
X-Forwarded-Encrypted: i=1;
 AJvYcCViYD5M3yKZt71M3asEIb+jirZVZWVYdY5DigBlxTqRauorFbJfxRbMPp1jlu8c7KN/3Eekd4gmW8+wfvleEXUUp3E=
X-Gm-Message-State: AOJu0YxjNsFOyBoniUvB7ILh9LRBnl2UQaTVISPB6nm5DcdMqYWgSj3x
 d+rQZKwi4ryhcNYyPGjwo0nO2fFDj3RGUmcqRCIAiEnLpTf14l81
X-Google-Smtp-Source: AGHT+IFXYbhTQfCrdKhQtq+2A1FdkaUpvybtVwXyZi39JrKPb62Myvm7pkBE6YMym70KZn0Fhul8qw==
X-Received: by 2002:a05:6a00:2e27:b0:6e6:946b:a983 with SMTP id
 fc39-20020a056a002e2700b006e6946ba983mr10966135pfb.10.1712046560887; 
 Tue, 02 Apr 2024 01:29:20 -0700 (PDT)
Received: from [10.105.170.223] ([116.212.244.50])
 by smtp.gmail.com with ESMTPSA id
 ka2-20020a056a00938200b006e6855c3290sm9203235pfb.27.2024.04.02.01.29.18
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 02 Apr 2024 01:29:20 -0700 (PDT)
Date: Tue, 02 Apr 2024 16:29:09 +0800
From: adanskana@gmail.com
Subject: Re: xz backdoor
To: Attila Lendvai <attila@lendvai.name>
Cc: Leo Famulari <leo@famulari.name>, Reza Housseini
 <reza.housseini@gmail.com>, guix-devel@gnu.org
Message-Id: <LK3BBS.4DLFV4THERGY2@gmail.com>
In-Reply-To: <4LDx-9hBj5DEyn9y2G5nConlVoRGV8FUgWa0UHApS_4DtaXDpLt6XF8yymmJCkJkyoLXj3CfxP6xgNL6TYm5bo02s2b3ZebeuwU_MWtiol0=@lendvai.name>
References: <3ae39210-ba8b-49df-0ea1-c520011b7cf3@gmail.com>
 <ZgtCzmz4Y_99qyNv@jasmine.lan>
 <4LDx-9hBj5DEyn9y2G5nConlVoRGV8FUgWa0UHApS_4DtaXDpLt6XF8yymmJCkJkyoLXj3CfxP6xgNL6TYm5bo02s2b3ZebeuwU_MWtiol0=@lendvai.name>
X-Mailer: geary/44.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-k5oMCFg0h+NcTnAqywLC"
Received-SPF: pass client-ip=2607:f8b0:4864:20::42d;
 envelope-from=adanskana@gmail.com; helo=mail-pf1-x42d.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Spam-Score: -6.54
X-Migadu-Queue-Id: 340A224150
X-Migadu-Scanner: mx12.migadu.com
X-Migadu-Spam-Score: -6.54
X-TUID: TyJy1vQUqeAX

--=-k5oMCFg0h+NcTnAqywLC
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi all,

On Tue, Apr 2 2024 at 08:23:40 AM +0000, Attila Lendvai=20
<attila@lendvai.name> wrote:
>>  There's actually suspicious code by the xz attacker in one of our
>>  packages right now:
>>=20
>>  <https://issues.guix.gnu.org/issue/70113>
>>=20
>>  Please help review that patch!
>=20
>=20
> as for gpaste (one of the dependees of libarchive):
>=20
> it doesn't build since the recent gnome merge. i've filed a patch for=20
> the necessary version bump:
>=20
> <https://issues.guix.gnu.org/70133>
>=20
> which also gets rid of the libarchive dependency.
I mentioned this on the guix XMPP server. Thanks for fixing this!
>=20
> it would be nice to get this fast tracked. although, judging from the=20
> (lack of) complaints, i might be the only user of it.
>=20
> PS: and meanwhile we're packaging an alternative, namely=20
> gnome-shell-extension-clipboard-indicator, with an enormous security=20
> flaw: by default it saves the clipboard history in clear text, and=20
> calls the feature "cache only favorites", so that even if you look=20
> for it, you still don't realize it:
>=20
> <https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/iss=
ues/138#issuecomment-904689439>
>=20
> ...and its author actively defends this situation.
I used gpaste up until the merge and went to use the extension. I had=20
absolutely no idea this was the state of things; that is very worrying.=20
I'm keen to see your patch fasttracked - you're not the only user, haha!
>=20
> --
> =95 attila lendvai
> =95 PGP: 963F 5D5F 45C7 DFCD 0A39
> --
> =93The noble-minded are calm and steady. Little people are forever=20
> fussing and fretting.=94
> 	=97 Confucius (551=96479 BC), 'Analects of Confucius'

Thanks,
Ada





--=-k5oMCFg0h+NcTnAqywLC
Content-Type: text/html; charset=windows-1251
Content-Transfer-Encoding: quoted-printable

<div id=3D"geary-body" dir=3D"auto"><div>Hi all,&nbsp;</div></div><div id=
=3D"geary-quote" dir=3D"auto"><br>On Tue, Apr 2 2024 at 08:23:40 AM +0000, =
Attila Lendvai &lt;attila@lendvai.name&gt; wrote:<br><blockquote type=3D"ci=
te"><div class=3D"plaintext" style=3D"white-space: break-spaces;"><blockquo=
te> There's actually suspicious code by the xz attacker in one of our
 packages right now:
=20
 <a href=3D"https://issues.guix.gnu.org/issue/70113">https://issues.guix.gn=
u.org/issue/70113</a>
=20
 Please help review that patch!
</blockquote>

as for gpaste (one of the dependees of libarchive):

it doesn't build since the recent gnome merge. i've filed a patch for the n=
ecessary version bump:

<a href=3D"https://issues.guix.gnu.org/70133">https://issues.guix.gnu.org/7=
0133</a>

which also gets rid of the libarchive dependency.</div></blockquote><span s=
tyle=3D"white-space-collapse: break-spaces;">I mentioned this on the guix X=
MPP server. Thanks for fixing this!&nbsp;<br></span><blockquote type=3D"cit=
e"><div class=3D"plaintext" style=3D"white-space: break-spaces;">
it would be nice to get this fast tracked. although, judging from the (lack=
 of) complaints, i might be the only user of it.

PS: and meanwhile we're packaging an alternative, namely gnome-shell-extens=
ion-clipboard-indicator, with an enormous security flaw: by default it save=
s the clipboard history in clear text, and calls the feature "cache only fa=
vorites", so that even if you look for it, you still don't realize it:

<a href=3D"https://github.com/Tudmotu/gnome-shell-extension-clipboard-indic=
ator/issues/138#issuecomment-904689439">https://github.com/Tudmotu/gnome-sh=
ell-extension-clipboard-indicator/issues/138#issuecomment-904689439</a>

...and its author actively defends this situation.</div></blockquote><span =
style=3D"white-space-collapse: break-spaces;">I used gpaste up until the me=
rge and went to use the extension. I had absolutely no idea this was the st=
ate of things; that is very worrying. I'm keen to see your patch fasttracke=
d - you're not the only user, haha!<br></span><blockquote type=3D"cite"><di=
v class=3D"plaintext" style=3D"white-space: break-spaces;">
<div>--=20
</div>=95 attila lendvai
=95 PGP: 963F 5D5F 45C7 DFCD 0A39
--
=93The noble-minded are calm and steady. Little people are forever fussing =
and fretting.=94
	=97 Confucius (551=96479 BC), 'Analects of Confucius'
</div></blockquote><span style=3D"white-space-collapse: break-spaces;"><br>=
Thanks,&nbsp;</span><div><span style=3D"white-space-collapse: break-spaces;=
">Ada<br><br><br><br></span></div></div>
--=-k5oMCFg0h+NcTnAqywLC--