So my ticket about checking xz backdoor risk on #HaikuOS was closed. Summing up : the issue doesn’t affect the system as it isn’t Linux, doesn’t use glibc runtime linker or ifuncs and it is built from git repo, not the tarball.
My take on this is a non technological one: the internet is filled with articles saying to check if you have 5.6.1 (and if so you are supposedly in danger). I would personally revert to 5.4 until 5.7 comes out so the the psychological issue gets fixed together with the technical issue.
This is probably the reason large Linux distributors chose the safe way: it’s easier to explain that they reverted to 5.4 that to say that 5.61b is safe while 5.61 was dangerous.
@santiago no, it's because we don't know how safe "5.6.1b" is. One backdoor was found, but the person who did it was apparently in control of the project for the last two years. Who knows what else they did during that time.
So, the right approach is indeed to go back to the last version before things were compromised. That is 5.4.
However, you reported the problem to Haiku, which has nothing to do with this, instead of Haikuports. That's why it was closed. No version of Haiku ships with 5.6.
@pulkomandy Thanks for the clarification. To be fair I always get terribly confused between what is in Haikuports and what is part of Haiku. Especially with sort of essential stuff . Maybe the form for reporting bugs should have a warning about this (and how to find out if it’s part of the base OS).
@santiago It would be great if Haikuports had a stable release every now and then, instead ofthe current system of "everything pushed to the git repositorygetsbuiltand put in the repo in a few minutes by an entirely automated process But there is nothing Haiku can do about it, the projects are relatively independant, even if there is currently some overlap of the development teams (by necessity: we need more people to run all this)
Add comment