From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id sBUYMcDAC2bnxgAAe85BDQ:P1 (envelope-from ) for ; Tue, 02 Apr 2024 10:24:33 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id sBUYMcDAC2bnxgAAe85BDQ (envelope-from ) for ; Tue, 02 Apr 2024 10:24:32 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=lendvai.name header.s=protonmail header.b=fjR4Z5Ym; dmarc=pass (policy=none) header.from=lendvai.name; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712046272; a=rsa-sha256; cv=none; b=OeFKeNITipfK640rLwITmKbfc3pEXAjMI9XdnlSv40i2gCA9WctTGcolfaIBj6hzAJOBH8 iCQx5760VZCiYYSBtQvY+siX4fTgqF/TeYJXfSrtoxhlBjnTUahTKRZOeADHQS0/vt6tPy hoFDgzRtcH8DoAKlZnDjv6AOkMx/kUirR0/JP3NG97GBXGa/YbAXGzB9nTcynGQglhgtMg PTdhtjrxrbVlCnA4DdCkLaL9zp81ovhK/qcJTSncKz3siJ3qQg1vEQ67j++/jRWgeVVwb2 rf0B6n3aRdMqNgeNmKdZzzPdwOzpaQFKhDMrO6cKZzN0/f62yacezg5fveKqdg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=lendvai.name header.s=protonmail header.b=fjR4Z5Ym; dmarc=pass (policy=none) header.from=lendvai.name; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712046272; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=65dXGPUOv2ty3/dRcbdA49KZSb/gGqN/YQfzkC58+vI=; b=sO5srRJnZtBGQq/jgAODY+SzYnsed870CVba09RJZOWC2QHRyoSDola3SPfCX/ljo4n6FC GtnpGc6SR7TX8qk0rzxnbl0Je8D3rHIziGZqeHRHzfzH1uLTwI+JPNwlZtLco/LFDw5Y8w g0yMhZ6v94H4EcTxNH+MijPiCW4SM5FbanfRmY7fjz+y794kxGGUsWTIKnL0h5uHP38gFs w03yp6eECsqi01GzP1J/thKqitG6FM1tzyxDggFRKVlTACNWOj30VAzQwljAYhZZhtPfYL /VQDXPn7pTuJqnVevc142PUa/s5Xz85vaTt4hDiOEzZEe0fXn3ylZGOSKRGzRQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 913E9240A6 for ; Tue, 2 Apr 2024 10:24:32 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rrZR5-0004yg-VD; Tue, 02 Apr 2024 04:24:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rrZR4-0004y9-Jn for guix-devel@gnu.org; Tue, 02 Apr 2024 04:24:02 -0400 Received: from mail-4022.proton.ch ([185.70.40.22]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rrZQw-0007FQ-8H for guix-devel@gnu.org; Tue, 02 Apr 2024 04:24:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lendvai.name; s=protonmail; t=1712046227; x=1712305427; bh=65dXGPUOv2ty3/dRcbdA49KZSb/gGqN/YQfzkC58+vI=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=fjR4Z5Ym7jGebOsTVF+XAjpwrsvTGS26RWarDDZRXAlSd77lHL8fm+vcJyfleJz5R GW0CFwUlo3QoCzgvtUDlO2Am9awel2EZZoZfi7SWfOOu3ejf6xTvOkXZvM3AnOgteg UrHfdu9EWA2sRf/6b9lsje/n+ueEcyls+6zKPnWLxTGiFtq4UDKMFOeq6TsnSve3EP qQQ3OHJZ+S2/DZwKOtkEsVl5lLEhhpfjrJcbEbOqkEhCo5JzRtngJfhb0ZkM2WkLi0 W6z9HMumkt4MoYOzTAGGnOLmxBQ47PORGCnLkSGX/VNx59D0nYQh6Rurg1OfchS+Yf zAey/u+Oy9pRg== Date: Tue, 02 Apr 2024 08:23:40 +0000 To: Leo Famulari From: Attila Lendvai Cc: Reza Housseini , guix-devel@gnu.org Subject: Re: xz backdoor Message-ID: <4LDx-9hBj5DEyn9y2G5nConlVoRGV8FUgWa0UHApS_4DtaXDpLt6XF8yymmJCkJkyoLXj3CfxP6xgNL6TYm5bo02s2b3ZebeuwU_MWtiol0=@lendvai.name> In-Reply-To: References: <3ae39210-ba8b-49df-0ea1-c520011b7cf3@gmail.com> Feedback-ID: 28384833:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.40.22; envelope-from=attila@lendvai.name; helo=mail-4022.proton.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -7.87 X-Migadu-Queue-Id: 913E9240A6 X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -7.87 X-TUID: xu7jMtNWKtjM > There's actually suspicious code by the xz attacker in one of our > packages right now: >=20 > https://issues.guix.gnu.org/issue/70113 >=20 > Please help review that patch! as for gpaste (one of the dependees of libarchive): it doesn't build since the recent gnome merge. i've filed a patch for the n= ecessary version bump: https://issues.guix.gnu.org/70133 which also gets rid of the libarchive dependency. it would be nice to get this fast tracked. although, judging from the (lack= of) complaints, i might be the only user of it. PS: and meanwhile we're packaging an alternative, namely gnome-shell-extens= ion-clipboard-indicator, with an enormous security flaw: by default it save= s the clipboard history in clear text, and calls the feature "cache only fa= vorites", so that even if you look for it, you still don't realize it: https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues= /138#issuecomment-904689439 ...and its author actively defends this situation. --=20 =E2=80=A2 attila lendvai =E2=80=A2 PGP: 963F 5D5F 45C7 DFCD 0A39 -- =E2=80=9CThe noble-minded are calm and steady. Little people are forever fu= ssing and fretting.=E2=80=9D =09=E2=80=94 Confucius (551=E2=80=93479 BC), 'Analects of Confucius'