Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz #backdoor:
Noteworthy: - #OpenSSH implemented systemd notification - #systemd moves to dlopen(3) for some dependencies - another detailed timeline at research.swtch.com/xz-timeline - similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF
Jan Schaumann
in reply to Jan Schaumann • • •Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the #xz #backdoor:
openwall.com/lists/oss-securit…
Noteworthy:
- #OpenSSH implemented systemd notification
- #systemd moves to dlopen(3) for some dependencies
- another detailed timeline at research.swtch.com/xz-timeline
- similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF
research!rsc: Timeline of the xz open source attack
research.swtch.com