| ▲ | lmm 3 days ago | |||||||
> The XZ backdoor never made it to Debian stable. It is "still lurking in docker images" because Debian publishes unstable testing images, under a tag that is segregated from the stable release tags. You can find vulnerable containers for literally any vulnerability you can imagine by searching for the exact snapshot where things went wrong. To a first approximation nothing ever makes it into Debian stable. Anyone working in an actively developed ecosystem uses the thing they pretend is an "experimental testing version". It's a marketing startegy similar to how everything from Google used to be marked as "beta". | ||||||||
| ▲ | djkoolaide 3 days ago | parent [-] | |||||||
Given my understanding of Debian, I don't believe this can be attributed to a "marketing strategy." | ||||||||
| ||||||||