Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp494902lqz; Sat, 30 Mar 2024 05:58:27 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUUXqK0mcsrApNVCXJ/KBkX3euZJtHkjAdaOjlZVk1hVzg4Bmzgp5brGH31p54s46qfin+ibNeUWgM+Vq5a0E5V229+Ga2yMKlgmi6+7w== X-Google-Smtp-Source: AGHT+IGW/RZgKyDYcZgsGPACE3ZSVqJY3qgWQTYWP56XotYmTRYGu21NbbynJjPNWwcG6lkzsYRU X-Received: by 2002:a05:6a20:748c:b0:1a5:732b:79ed with SMTP id p12-20020a056a20748c00b001a5732b79edmr5169589pzd.3.1711803506735; Sat, 30 Mar 2024 05:58:26 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711803506; cv=pass; d=google.com; s=arc-20160816; b=ekFA5e2vdrnz1RVSnLoPotlELR5Tt23s/OQ8THvEel9DGaBcWx0VgwHyB/dloagBkV 8tYXJXSFK47pbvgd3Xi050OithvU9ZNIv2LdZNZe5nd36CRVgjN0S3t0cX4lSjvHCELu JeEl4pcHjInuKYv6QyxemqVumzx8Pwz/M0sGJBfsH33pBSCyZAwfEgn6jzO8M1ooEU/y Wlr3BxXRiaDR3ku0gNXJsKMGOdGrXSvpZNm71PYMm5hriiH5HLIrhc+zXhiQB4IpnMLA k61Iv6uO/sGfTrBP4nIlc3di+9q+EKtMLumJEXZMV0/Gz4djP2qohM/R3HWB01FJohcd zOvw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date; bh=TyLqBL9PV3Fq5sC86i2rPDpQua+k7OdPwdx50ispvAM=; fh=oAV6stFfAsAEcYvAtCr/bR+7UlgQTp7rN/47OXTWTA8=; b=MWdVnfvWqwbXFgRMIe/kpgczipp5RinpINOa54bF6+viUXh8hegVlDNsV15Z+uwUXT 1lkqp1/SWXTAUdI5LrksTUY6p3JQo2X9/SOz1AgH/TUeCsNuTQ0Rx3bYUw0+9b2yu01i 3rSLDbo2ETnmHPciD/j6XpNPYV3sr9snbpMoRF2nyBksWt6yGxCT2Zqnk3JuxHlcZSgG 3TaR9jq6sYk2Fp2wHkt/vm/U3dntjCB7YNjGnCNaXTCFNA+4fQol69UJ20Yqw1YDJlYb 5BTqfRIsBmMOHtLULow22xy/wlU2aWJYdA8c/bZzgkaN1ynr5f4QQVfokywFbtB6u3Br CQhg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=tukaani.org); spf=pass (google.com: domain of linux-kernel+bounces-125728-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125728-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id b8-20020a170903228800b001e0a7c2cc80si5846905plh.153.2024.03.30.05.58.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Mar 2024 05:58:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-125728-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=tukaani.org); spf=pass (google.com: domain of linux-kernel+bounces-125728-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125728-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id D64EDB221B7 for ; Sat, 30 Mar 2024 12:58:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4CF141EA74; Sat, 30 Mar 2024 12:58:16 +0000 (UTC) Received: from mailscanner01.zoner.fi (mailscanner01.zoner.fi [84.34.166.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6750D282F7 for ; Sat, 30 Mar 2024 12:58:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.34.166.10 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711803495; cv=none; b=MtKCAhl7Wk1t7lNvBzZBAby1A7rlHBgqVlXEv6jQBmkHPxOxTC9tZkQ5wJG6mE2otZz5t1KSxLCok6qMXhQym/HyUpXarOFBpsnGyc6xsIEVLD1bW0gGidcT2wWjrjBbgYI8BoI82p6d9V44jeOPykHxeapux5wQ9r8IcosC1NA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711803495; c=relaxed/simple; bh=VZS0Yhea1VuqzBkvRh9+dF6lilkH2Gyb3e+oRQiXOVE=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=uMIT0vz8PNW+VOmW9JuyfR2dHH6O3Pu+lcXmNOTs911Zbi5wzwHYKT+gZoDR/JnTotqYlJz13fAjfY61iPQOnSCYkmX6Umn2SXdpyAVEeArzRucS+XivciUB2qNoyOsP+IPEBK7x+QvAmlHikesPyhz8pnbJpS+QLLLzobVR+Kc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=tukaani.org; spf=pass smtp.mailfrom=tukaani.org; arc=none smtp.client-ip=84.34.166.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=tukaani.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tukaani.org Received: from www25.zoner.fi (www25.zoner.fi [84.34.147.45]) by mailscanner01.zoner.fi (Postfix) with ESMTPS id 465C9424F7; Sat, 30 Mar 2024 14:48:49 +0200 (EET) Received: from mail.zoner.fi ([84.34.147.244]) by www25.zoner.fi with esmtp (Exim 4.96.1-7-g79877b70e) (envelope-from ) id 1rqY8f-0008Bi-0O; Sat, 30 Mar 2024 14:48:49 +0200 Date: Sat, 30 Mar 2024 14:48:48 +0200 From: Lasse Collin To: Andrew Morton Cc: Jonathan Corbet , Kees Cook , Jia Tan , linux-kernel@vger.kernel.org Subject: Re: [tech-board] [PATCH 00/11] xz: Updates to license, filters, and compression options Message-ID: <20240330144848.102a1e8c@kaneli> In-Reply-To: <20240329195602.382cb1c99bb70e3d8c6093ae@linux-foundation.org> References: <20240320183846.19475-1-lasse.collin@tukaani.org> <202403291221.124220E0F4@keescook> <87h6go3go2.fsf@meer.lwn.net> <20240329195602.382cb1c99bb70e3d8c6093ae@linux-foundation.org> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On 2024-03-29 Andrew Morton wrote: > On Fri, 29 Mar 2024 14:51:41 -0600 Jonathan Corbet > wrote: > > > > Andrew (and anyone else), please do not take this code right now. > > > > > > Until the backdooring of upstream xz[1] is fully understood, we > > > should not accept any code from Jia Tan, Lasse Collin, or any > > > other folks associated with tukaani.org. It appears the domain, > > > or at least credentials associated with Jia Tan, have been used > > > to create an obfuscated ssh server backdoor via the xz upstream > > > releases since at least 5.6.0. Without extensive analysis, we > > > should not take any associated code. It may be worth doing some > > > retrospective analysis of past contributions as well... > > > > > > Lasse, are you able to comment about what is going on here? > > > > FWIW, it looks like this series has been in linux-next for a few > > days. Maybe it needs to come out, for now at least? > > Yes, I have removed that series. Thank you. None of these patches are urgent. I'm on a holiday and only happened to look at my emails and it seems to be a major mess. My proper investigation efforts likely start in the first days of April. That is, I currently know only a few facts which alone are bad enough. Info will be updated here: https://tukaani.org/xz-backdoor/ -- Lasse Collin