Article on openSUSE News: What we need to take away from the XZ Backdoor

I just read an interesting article on the openSUSE News site, published today, about the XZ backdoor and on the internal measures taken against it by the openSUSE team before the public disclosure: What we need to take away from the XZ Backdoor, written by their packager for XZ, Dirk Mueller.

There, he states:

A few days [sic!] before the public disclosure of the XZ backdoor, the SUSE product security team got a hint that there is something odd with the XZ 5.6.x releases.

And:

One day before disclosure […] SUSE product security received a longer and detailed report […] via the shared distros security disclosure list. The distros list is an encrypted mailing list where distributors collaborate and coordinate on disclosures of security issues.
[…]
By the time of the public disclosure, all workstreams had already completed. We identified the list of affected products, and had already released all updates for all affected ones. Communication was ready to be put online and sent out to the relevant parties.
[…]
We recognize that the XZ backdoor is cleverly built. Yet, it had surprising flaws in execution. Whoever is interested in embedding further backdoors has learned from the extensive public coverage of everything that went wrong. These mistakes have been pointed out, published and learned from. We have given the actors behind this backdoor free training for future attacks. It is time that distributions learn from this as well and also take training lessons. We need to actively collaborate and build a strong, reliable web of trust with open-source projects and each other to be prepared to handle the inevitable future challenges that will come.

This made me wonder how we fit in the collaborative “reliable web of trust” that Mueller mentioned and what plans our project has to respond to similar developments in the future? Furthermore, I’m curious if our security team was also aware of the issue well ahead of time? Thanks in advance for sharing your insights!

5 Likes

No, NixOS isn’t part of the distros list. It’s due to a combination of their rules and the way of NixOS.org infra is built (it would be difficult to add the ability to prepare binaries in secret).

I see. So it isn’t something we can easily change. Thank you for clarifying this point!