| ▲ | everforward 4 hours ago | |
I think that article proves the opposite. > While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions. Ie if you weren’t running dev distros in prod, you probably weren’t exposed. Honestly a lot of packaging is coming back around to “maybe we shouldn’t immediately use newly released stuff” by delaying their use of new versions. It starts to look an awful lot like apt/yum/dnf/etc. I would wager in the near future we’ll have another revelation that having 10,000 dependencies is a bad thing because of supply chain attacks. | ||
| ▲ | woodruffw 3 hours ago | parent | next [-] | |
Per below, xz is also an example of us getting lucky. > I would wager in the near future we’ll have another revelation that having 10,000 dependencies is a bad thing because of supply chain attacks. Yes, but this also has nothing to do with native vs. non-native. | ||
| ▲ | consp 3 hours ago | parent | prev [-] | |
This is the security equivalent of having a better lock than your neighbour. Won't save you in the end but you won't be first. Then again, yours could also be broken and you don't get to tick of that audit checkbox. | ||