undefined | Better HN

0 pointstutfbhuf1y ago0 comments

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

0 comments

gpm1y ago

Yes.

I've never had to do it myself but I believe that's common practice with embargos on security vulnerabilities.

jethro_tell1y ago

And, If you break the embargo too many times then you just find out with the rest of us and that's not a great way to run a distro. I believe openbsd is or was in that position around the time of the intel speculative execution bugs.

bombcar1y ago

It can lead to amusing cases where the intentional vuln comes in "to improve x" and the quiet fix comes in "to improve x".

Starlevel0041y ago

xz was masked in the Gentoo repositories earlier today with the stated reason of "Investigating serious bug". No mention of security. It's pretty likely.

donio1y ago

5.6.1 is masked specifically.

Also, https://mastodon.social/@mgorny@treehouse.systems/1121802382... from a Gentoo dev mentions that Gentoo doesn't use the patch that results in sshd getting linked against liblzma.

As far as I know this is not an official communication channel so don't take it as such.

NekkoDroid1y ago

This is very likely the case. Arch maintainers do get early information on CVEs just like any other major distro.

But with pacman/makepkg 6.1 (which recently released) git sources can also now be check summed IIRC which is a funny coincidence.

j / k navigate · click thread line to collapse