I’ve gotten half a dozen messages on various forums declaring that the xz backdoor is eerily reminiscent of a major plot element of $ git commit murder.
I’ve been a sysadmin for decades, and hanging around with operating system developers nearly as long. I came up with a plan for a “difficult but achievable” hack. I checked with various actual developers to see if it was realistic, and adjusted the hack based on their feedback.
Target a userland tool. Hook it into the operating system core. Proceed from there. The plan is easy, the execution fiercely difficult, the coincidence unsurprising.
I can say that if Dale had developed this hack, it would not have damaged the host’s ability to serve SSH requests. He would have caught that and fixed it before deployment.
I feel compelled to acknowledge this similarity, however. Coupon code xzhack gets you 50% off $ git commit murder and $ git sync murder at my store. This expires 8 April 2024.
To all the sysadmins who are having a bad weekend because of this hack, I offer my sincere condolences. Just because the blast missed me this time doesn’t mean I don’t feel your pain, or that I won’t be caught next time.
To the author of the hack I would like to say: you are a dick.