Received: from mx0.riseup.net (mx0.riseup.net [198.252.153.6])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id DDA4322587D
	for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 10:40:03 +0000 (UTC)
Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx0.riseup.net (Postfix) with ESMTPS id 4V6DLN6vrcz9tp0
	for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 10:39:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
	t=1711795201; bh=oTMuzhn8Kp5rIgOvgyW/UqVDP4hclEocBc2orFOupU8=;
	h=Subject:From:To:Date:In-Reply-To:References:From;
	b=UNuAZVBnSoEmHjx8M1SaGm9JLyEoIdGJMVAKiCV0dHmL2m6iCaoi9M9XSR2R12wmv
	 pmIiOwSdXlPh4RxSxk8gzhaGj5PoFmOucJcidoO1NGuZjKaIRtnwJ3lQAVodHROQAK
	 KesEiEWGfUBuI2RRw8OlS+E5wxo/CJnjqOigMbp8=
X-Riseup-User-ID: 4FAF04EBDA72AD1E5B0FFABBFD2E752468E69703B4DBD3117475A005E54C217A
Received: from [127.0.0.1] (localhost [127.0.0.1])
	 by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4V6DLN3nDGzJqbV
	for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 10:39:56 +0000 (UTC)
Message-ID: <9950f380892dea7134b69901f5ee5f7c9283ca47.camel@riseup.net>
Subject: Re: XZ force downgrade led to removal of many packages
From: Ralf Mardorf <ralf-mardorf@riseup.net>
To: ~alpine/users@lists.alpinelinux.org
Date: Sat, 30 Mar 2024 11:39:53 +0100
In-Reply-To: <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com>
References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com>
	 <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

On Sat, 2024-03-30 at 20:15 +1000, Stuart Longland VK4MSL wrote:
> Now, AlpineLinux, like Gentoo=E2=80=A6
>=20
> - uses OpenRC (Gentoo *can* use systemd, but the default is OpenRC)
> - does not use RPM or DEB packages
> - likely will not be patching OpenSSH to support systemd-notify since=20
> the latter is not present

Hi,

security through naivety is new to me.

For example, Arch uses systemd by default, but does not link openssh
directly to liblzma. Arch uses neither RPM nor DEB. From a naive point
of view, Arch is not affected either.

"However, out of an abundance of caution, we advise users to remove the
malicious code from their system by upgrading either way. This is
because other yet-to-be discovered methods to exploit the backdoor could
exist." -
https://lists.archlinux.org/archives/list/arch-announce@lists.archlinux.org=
/thread/MX363534MGK44R5UIYPK4GABKHF76TYC/

Regards,
Ralf