top | item 39866459

(no title)

tutfbhuf | 1 year ago

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

discuss

gpm|1 year ago

Yes.

I've never had to do it myself but I believe that's common practice with embargos on security vulnerabilities.

jethro_tell|1 year ago

And, If you break the embargo too many times then you just find out with the rest of us and that's not a great way to run a distro. I believe openbsd is or was in that position around the time of the intel speculative execution bugs.

bombcar|1 year ago

It can lead to amusing cases where the intentional vuln comes in "to improve x" and the quiet fix comes in "to improve x".

Starlevel004|1 year ago

xz was masked in the Gentoo repositories earlier today with the stated reason of "Investigating serious bug". No mention of security. It's pretty likely.

donio|1 year ago

5.6.1 is masked specifically.

Also, https://mastodon.social/@mgorny@treehouse.systems/1121802382... from a Gentoo dev mentions that Gentoo doesn't use the patch that results in sshd getting linked against liblzma.

As far as I know this is not an official communication channel so don't take it as such.

NekkoDroid|1 year ago

This is very likely the case. Arch maintainers do get early information on CVEs just like any other major distro.

But with pacman/makepkg 6.1 (which recently released) git sources can also now be check summed IIRC which is a funny coincidence.