this post was submitted on 03 Apr 2024
132 points (95.8% liked)

Linux

48220 readers
964 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Linux Firmware Update Utility Fwupd Will Use Zstd Compression for Future Releases

The devs are also considering enforcing signed commits in an attempt to prevent supply chain issues like the XZ backdoor.

Edit: note for downvotes: I understand some of you disagree with the need for a switch. However, are you downvoting the news itself (i.e. shooting the messenger?)

top 27 comments
sorted by: hot top controversial new old
[–] BaalInvoker@lemmy.eco.br 52 points 7 months ago (2 children)

I think it solves nothing, cause it's not primarily a XZ issue itself, but some bad actors that infiltrate into the community for years to finally use his credibility to upload a backdoor. Every single package is vulnerable to this kind of attack and has little we can do to completely avoid it

Of course we have to make the best moves to prevent this happening again, however it's not a simple "I'll use X instead of Z" (see what I did here?!), cause both X and Z may be doomed with this shit anytime

[–] GravelPieceOfSword@lemmy.ca 14 points 7 months ago (1 children)

The article states reasons which aren't limited to what happened. I understand and agree with your sentiment about the supply chain issue being something that could happen anywhere - those were my initial thoughts too.

The reasons for shifting are related to speed, other mainstream software already having made that switch years ago (pre incident), and unfortunately... More robustness in terms of maintainers.

Open source funding and resilience should be mainstream discussions. Open source verification and security reliability should be mainstream discussions: here's a recent mastodon thread I found interesting:

https://ruby.social/@getajobmike/112202543680959859

However, people switching from x to z (I did see what you did there) is something that is going to happen considering the other factors listed in the article that I summarized above.

[–] BaalInvoker@lemmy.eco.br 9 points 7 months ago

Well, if the choice to change from XZ to zstd is based on other technical features, my previous point is pointless

It's always great to see better technology being implemented!

[–] Killing_Spark@feddit.de 8 points 7 months ago (1 children)

One good thing about zstd is that the main developer is full-time employed to work on it. Alas he's employed by meta to do that... But it's likely harder to social engineer your way into that project

[–] bigmclargehuge@lemmy.world 5 points 7 months ago

This is definitely a huge unsung benefit of having larger corperations get their fingers into FOSS projects. Not just the funding, which is great, but the literal job security. Good luck bullying a meta or google employee into giving over control to a stranger.

[–] bizdelnick@lemmy.ml 22 points 7 months ago (2 children)

Look at what libs zstd is linked to. You'll be surprised.

[–] lemmyreader@lemmy.ml 19 points 7 months ago (1 children)

ldd $(which zstd)

liblzma.so.5

... wow

[–] Laser@feddit.de 11 points 7 months ago (2 children)

Here, it's libzstd.so, libc and glibc, and libzstd only libc and glibc. What do you mean? At first I thought you were implying an liblzma dependency, but there's no such thing, at least can't see it.

[–] bizdelnick@lemmy.ml 7 points 7 months ago (2 children)
% libtree /usr/bin/zstd
/usr/bin/zstd 
├── libz.so.1 [ld.so.conf]
├── liblz4.so.1 [ld.so.conf]
└── liblzma.so.5 [ld.so.conf]
% lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm
%
[–] Laser@feddit.de 11 points 7 months ago (1 children)

Maybe Debian's goal is to make liblzma a dependency of everything possible? It wasn't a standard dependency of OpenSSH either, but rather something they patched in. ;)

[–] bizdelnick@lemmy.ml 1 points 7 months ago (1 children)

What's your distro and how did you check needed libraries? I guess that liblzma.so can be needed by libzstd.so in your system.

[–] Laser@feddit.de 5 points 7 months ago* (last edited 7 months ago)

NixOS, did a ldd (which zstd) and then ldd on the reported libzstd file.

Not using a POSIX shell before people complain about syntax

Edit: if you look at https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/tools/compression/zstd/default.nix, you'll see that buildInputs is not being set, which means it can't link to anything except the standard libraries.

[–] tastysnacks@programming.dev 2 points 7 months ago (2 children)

Bookworm was unaffected by this though, right?

[–] caseyweederman@lemmy.ca 3 points 7 months ago

Canonical is delaying Noble by more than a week so they can rebuild every binary in a clean environment, just in case the build process itself was affected.

[–] bizdelnick@lemmy.ml 2 points 7 months ago
% xz --version 
xz (XZ Utils) 5.4.1
liblzma 5.4.1
%

I hope so.

[–] Killing_Spark@feddit.de 3 points 7 months ago

Apparently it differs between distributions

[–] unionagainstdhmo@aussie.zone 11 points 7 months ago (2 children)

https://www.softwaremaxims.com/blog/not-a-supplier

Calling it a supply chain is rich. Also I'm pretty sure the XZ person was signing their commits anyway.

[–] GravelPieceOfSword@lemmy.ca 4 points 7 months ago* (last edited 7 months ago)

As with all definitions, there is a gray area where people will have different boundaries on exact meanings. To you - a supplier relationship needs an explicit payment, which is a fair definition.

However, the more widely used definition that most people, including me, refer to, is not necessarily focused on the supplier, but on the supply - what we use in our toolchains is a supply - regardless of how it was obtained.

When there is an issue in a trusted supply, even if it was not a commercial relationship (a prerequisite by your definition), it is a supply-chain attack by the more widely used definition.

[–] possiblylinux127@lemmy.zip 2 points 7 months ago (1 children)

Brodie is that you?

Anyhow I would argue that it is indeed a supply chain but you still need to be respectful of the volunteers. The article seems to mostly talking about proprietary software anyway.

[–] unionagainstdhmo@aussie.zone 1 points 7 months ago

Brodie is that you?

His video is where I got that from. Well as the article points out it's not like a traditional supply chain where there is an agreement or guarantees.

[–] mariusafa@lemmy.sdf.org 7 points 7 months ago* (last edited 7 months ago) (1 children)

I thought major software devs used signed commits. I don't have that much git experience and I have everything gpg signed even since the first repo I did.

This makes me question a lot of software.

[–] GravelPieceOfSword@lemmy.ca 11 points 7 months ago

They do. They did. What do you do when a 'good guy' is really a bad guy? Happens outside of software too. Someone inserts themselves into an organization while secretly working against its interests.

Here's a good summary. However, you should read a few articles - plenty have been going around, including on Lemmy.

[–] rollingflower@lemmy.kde.social 6 points 7 months ago

As did Fedora for RPM packaging since 31. Good progress, but signed commits have nothing to do here I think.

[–] lemmyreader@lemmy.ml 6 points 7 months ago

Following Arch Linux which made that move years ago. https://archlinux.org/news/now-using-zstandard-instead-of-xz-for-package-compression/

As announced on the mailing list, on Friday, Dec 27 2019, our package compression scheme has changed from xz (.pkg.tar.xz) to zstd (.pkg.tar.zst).

[–] gianni@lemmy.ml 3 points 7 months ago

Aside from the backdoor (which is a moot point when talking about zstd anyway), there are a number of other very good reasons to use ZSTD.

[–] MigratingtoLemmy@lemmy.world 1 points 7 months ago

I think that's a decent approach