Sat, 6 Apr 2024

12:10 PM - Update on xz

I've updated the xz version in 3.2-current to 5.4.x and avoided the known vulnerable releases. This aligns with recommendations from several sources.

As far as the calls to switch off xz for everything, that's unlikely in the short term. A lot of software distributed in mports uses tar.xz files. Further, package files generated by mport use it.  Early releases of mport used bzip2 but we migrated many years ago to tar.xz.  We're investigating the possibility of migrating to zstd and are working on updating libarchive to a newer release in base for this purpose.  It will likely not happen for the midnightbsd 3.2 release and will need to happen during a major release cycle.  (4.x? 3.3?) 

The long term risk is that xz isn't taken over or forked by a trustworthy source and CVEs start piling up.  The actual linux specific issues with 5.6.x are not a concern for BSD platforms aside from the real risk of something like this happening again.  (the supply chain attack piece is a danger)  

The harsh reality of open source is that there is a lot of code and it's difficult to review it all.  Companies have been bitten by issues like Amazon Music getting crypto mining node modules years ago or the recent attack on Notepad++ plugins.  It happens.  How we deal with it is what's important.