[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202403291736.B7E9C61@keescook>
Date: Fri, 29 Mar 2024 17:37:45 -0700
From: Kees Cook <keescook@...omium.org>
To: Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Lasse Collin <lasse.collin@...aani.org>, Jia Tan <jiat0218@...il.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/11] xz: Updates to license, filters, and compression
options
On Fri, Mar 29, 2024 at 02:51:41PM -0600, Jonathan Corbet wrote:
> "Kees Cook" <keescook@...omium.org> writes:
>
> > On Wed, Mar 20, 2024 at 08:38:33PM +0200, Lasse Collin wrote:
> >> XZ Embedded, the upstream project, switched from public domain to the
> >> BSD Zero Clause License (0BSD). Now matching SPDX license identifiers
> >> can be added.
> >>
> >> The new ARM64 and RISC-V filters can be used by Squashfs.
> >>
> >> Account for the default threading change made in the xz command line
> >> tool version 5.6.0. Tweak kernel compression options for archs that
> >> support XZ compressed kernel.
> >>
> >> Documentation was revised. There are minor cleanups too.
> >>
> >> Lasse Collin (11):
> >> MAINTAINERS: Add XZ Embedded maintainers
> >> LICENSES: Add 0BSD license text
> >> xz: Switch from public domain to BSD Zero Clause License (0BSD)
> >> xz: Documentation/staging/xz.rst: Revise thoroughly
> >> xz: Fix comments and coding style
> >> xz: Cleanup CRC32 edits from 2018
> >> xz: Optimize for-loop conditions in the BCJ decoders
> >> xz: Add ARM64 BCJ filter
> >> xz: Add RISC-V BCJ filter
> >> xz: Use 128 MiB dictionary and force single-threaded mode
> >> xz: Adjust arch-specific options for better kernel compression
> >>
> >> Documentation/staging/xz.rst | 130 ++++++++---------------
> >> LICENSES/deprecated/0BSD | 23 ++++
> >> MAINTAINERS | 14 +++
> >> include/linux/decompress/unxz.h | 5 +-
> >> include/linux/xz.h | 5 +-
> >> init/Kconfig | 5 +-
> >> lib/decompress_unxz.c | 39 ++++---
> >> lib/xz/Kconfig | 13 ++-
> >> lib/xz/xz_crc32.c | 7 +-
> >> lib/xz/xz_dec_bcj.c | 183 ++++++++++++++++++++++++++++++--
> >> lib/xz/xz_dec_lzma2.c | 5 +-
> >> lib/xz/xz_dec_stream.c | 5 +-
> >> lib/xz/xz_dec_syms.c | 16 +--
> >> lib/xz/xz_dec_test.c | 12 +--
> >> lib/xz/xz_lzma2.h | 5 +-
> >> lib/xz/xz_private.h | 20 ++--
> >> lib/xz/xz_stream.h | 7 +-
> >> scripts/Makefile.lib | 13 ++-
> >> scripts/xz_wrap.sh | 157 +++++++++++++++++++++++++--
> >> 19 files changed, 487 insertions(+), 177 deletions(-)
> >> create mode 100644 LICENSES/deprecated/0BSD
> >
> > Andrew (and anyone else), please do not take this code right now.
> >
> > Until the backdooring of upstream xz[1] is fully understood, we should not
> > accept any code from Jia Tan, Lasse Collin, or any other folks associated
> > with tukaani.org. It appears the domain, or at least credentials
> > associated with Jia Tan, have been used to create an obfuscated ssh
> > server backdoor via the xz upstream releases since at least 5.6.0.
> > Without extensive analysis, we should not take any associated code.
> > It may be worth doing some retrospective analysis of past contributions
> > as well...
> >
> > Lasse, are you able to comment about what is going on here?
>
> FWIW, it looks like this series has been in linux-next for a few days.
> Maybe it needs to come out, for now at least?
Yes, for sure. Andrew, just so it's explicitly clear: please remove this
series from -mm for now, until the situation is better understood.
Thanks!
-Kees
--
Kees Cook
Powered by blists - more mailing lists