This article is rated B-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This article is written in Australian English, which has its own spelling conventions (colour, realise, program, labour (but Labor Party)) and some terms that are used in it may be different or absent from other varieties of English. According to the relevant style guide, this should not be changed without broad consensus. |
On 20 April 2024, it was proposed that this article be moved to XZ backdoor. The result of the discussion was not moved. |
The article currently claims that the bad actors used socks to badger the developer into ceding control of his project. While the supporting Ars Technica ref does provide circumstantial evidence that this happened, it isn't definitive. I think we need to at least qualify the claim until we have a better ref. Ef80 ( talk) 13:56, 3 April 2024 (UTC)
A citation needed tag is attached to where it says software vendors have reverted to an older version. The sources right before it do say that packages were reverted to an older unaffected version. We should move the sources to the end of the sentence and remove the tag. NotAPenguinSpy ( talk) 14:21, 3 April 2024 (UTC)
@ Melmann I'm not saying that he did the work on behalf of Microsoft, just that he worked there at the time of the discovery. I think that is a noteworthy item, similar to his involvement in PostgreSQL. PhotographyEdits ( talk) 17:57, 3 April 2024 (UTC)
@ DefaultFree In regard to your revert, the contention is that if it is not work for hire, then it is not relevant. Why include mentions of his employer, as this fact has no bearing on the work he performed off-the-clock. To give another example, Freund appears to be German, but this is not a fact we are mentioning because it has no bearing on the work he performed. But if his work was funded by the German government, then it would be a worthwhile inclusion, in my opinion. Melmann 21:18, 3 April 2024 (UTC)
his involvement in PostgreSQL appears to have been his most notable claim to fameand that his Microsoft employment was not similarly notable? The Ars ref, for example, seems to give more weight to his MS employment than his pgsql involvement. DefaultFree ( talk) 21:31, 3 April 2024 (UTC)
This sentence is propaganda and should be removed. According to the article about Dave Aitel, this person works for the CIA. So there is an obvious conflict of interest. The US American foreign intelligence service accuses the Russian foreign intelligence service. Actually many actors worldwide would have a motive and the means to pull this off, including the CIA. In order to accuse one particular actor, one should present some real evidence. -- 193.96.224.70 ( talk) 21:20, 6 April 2024 (UTC)
I'm appalled by seeing my edits being reverted. The ticket itself has a discussion including the creator and the leader of the project, Lennart Poettering, and core systemd developers, I've now found not just one but two news sources ( opennet.ru is the most popular Linux news website for Russian speaking readers and has tens of thousands of visits daily) and that's called "no reliable sources". What's a reliable source of anything Linux related? Engadget? Wired? Who decides what is reliable?? That's outright disgusting. And I'm 100% sure the people who revert my edits do so without knowing anything either about Linux or security in general. This is not "*Pedia", this is "We put our rules above extremely serious stuff". Suit yourself.
This is the reverted part. I'll leave it here for posterity. That's my text, it's pertinent for the discussion page:
Systemd changes
As a result of this incident a question [1] of unneeded dependencies in Systemd was raised [2] [3] and it led to the project being reworked and dropping link-time dependencies on many libraries including, gcrypt, LZ4, ZSTD, LZMA and BPF. An objection that dependencies had now become hidden and non-transparent was raised but systemd developers refuted it and said that support for unneeded libraries could be disabled completely at compilation time. [4]
References
- ^ "Reduce dependencies of libsystemd · Issue #32028 · systemd/systemd". GitHub. Retrieved 2024-04-07.
- ^ Darkcrizt (2024-04-06). "In systemd the idea of reducing libsystemd dependencies is raised". Linux Adictos. Retrieved 2024-04-08.
{{ cite web}}
: zero width space character in|title=
at position 24 ( help)- ^ "Инициатива по сокращению зависимостей у libsystemd". www-opennet-ru.translate.goog (in auto). Retrieved 2024-04-08.
{{ cite web}}
: CS1 maint: unrecognized language ( link)- ^ "Reduce dependencies of libsystemd · Issue #32028 · systemd/systemd". GitHub. Retrieved 2024-04-07.
Artem S. Tashkinov ( talk) 14:40, 8 April 2024 (UTC)
@ Eric lagergren: in these edits, you removed the word "the" which I had added, following the advice of WP:FALSETITLE. Your edit comment was "grammar". This is not an issue of grammar, but of style. As our article false title points out, omitting "the" in cases like "the programmer John Doe" is journalese and thus not appropriate for an encyclopedia. -- Macrakis ( talk) 14:44, 9 April 2024 (UTC)
The result of the move request was: not moved. per consensus. – robertsky ( talk) 08:50, 30 April 2024 (UTC)
XZ Utils backdoor → XZ backdoor – This looks like the more common name used in sources [2] [3] [4] [5] Tehonk ( talk) 18:10, 20 April 2024 (UTC)
It has been noted by many that the choice of name "Jia Tan", while not likely to be a real Chinese name, was probably chosen to cast suspicion on China in the event of discovery. The introduction of this article indicates that the backdoor was introduced by Jia Tan without so much as quotation marks around the name. A footnote is provided clarifying the anonymity of Jia Tan (though without commenting on the choice of name). Anyone skimming the article intro or reading the Google summary having googled "xz backdoor" will never even see that footnote. If indeed the name was chose to direct suspicion at China, whoever's idea it was must be very pleased to see that Wikipedia is aiding the cause.
In other words, I really think some indication of the nature of "Jia Tan" should be included in the introduction. Blex-max ( talk) 12:01, 9 May 2024 (UTC)
It has been noted by many that the choice of name "Jia Tan", while not likely to be a real Chinese name, was probably chosen to cast suspicion on China in the event of discovery.Do you have a reliable source to support this? It seems entirely speculative. The name used was "Jia Tan". That is a fact. Facts are objective. If readers draw unreasonable inferences, so be it, Wikipedia is not censored. Local Variable ( talk) 03:19, 19 May 2024 (UTC)
I have asked the user Xkcd ( Randall Munroe) to consider licensing 'xkcd no. 2347 Dependency' under a Commons compatible license, for inclusion into this article. The message text and response(s), if any, has been transcluded below.
Extended content
|
---|
Hi @
Xkcd. Your comic
'xkcd no. 2347 Dependency' has been mentioned by many reliable sources as capturing the essence of the fiasco surrounding the
XZ Utils backdoor. I have added an external link to it with
this edit on 2024-04-12 (2 months ago), and the change appears to be stable. |
This article is rated B-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This article is written in Australian English, which has its own spelling conventions (colour, realise, program, labour (but Labor Party)) and some terms that are used in it may be different or absent from other varieties of English. According to the relevant style guide, this should not be changed without broad consensus. |
On 20 April 2024, it was proposed that this article be moved to XZ backdoor. The result of the discussion was not moved. |
The article currently claims that the bad actors used socks to badger the developer into ceding control of his project. While the supporting Ars Technica ref does provide circumstantial evidence that this happened, it isn't definitive. I think we need to at least qualify the claim until we have a better ref. Ef80 ( talk) 13:56, 3 April 2024 (UTC)
A citation needed tag is attached to where it says software vendors have reverted to an older version. The sources right before it do say that packages were reverted to an older unaffected version. We should move the sources to the end of the sentence and remove the tag. NotAPenguinSpy ( talk) 14:21, 3 April 2024 (UTC)
@ Melmann I'm not saying that he did the work on behalf of Microsoft, just that he worked there at the time of the discovery. I think that is a noteworthy item, similar to his involvement in PostgreSQL. PhotographyEdits ( talk) 17:57, 3 April 2024 (UTC)
@ DefaultFree In regard to your revert, the contention is that if it is not work for hire, then it is not relevant. Why include mentions of his employer, as this fact has no bearing on the work he performed off-the-clock. To give another example, Freund appears to be German, but this is not a fact we are mentioning because it has no bearing on the work he performed. But if his work was funded by the German government, then it would be a worthwhile inclusion, in my opinion. Melmann 21:18, 3 April 2024 (UTC)
his involvement in PostgreSQL appears to have been his most notable claim to fameand that his Microsoft employment was not similarly notable? The Ars ref, for example, seems to give more weight to his MS employment than his pgsql involvement. DefaultFree ( talk) 21:31, 3 April 2024 (UTC)
This sentence is propaganda and should be removed. According to the article about Dave Aitel, this person works for the CIA. So there is an obvious conflict of interest. The US American foreign intelligence service accuses the Russian foreign intelligence service. Actually many actors worldwide would have a motive and the means to pull this off, including the CIA. In order to accuse one particular actor, one should present some real evidence. -- 193.96.224.70 ( talk) 21:20, 6 April 2024 (UTC)
I'm appalled by seeing my edits being reverted. The ticket itself has a discussion including the creator and the leader of the project, Lennart Poettering, and core systemd developers, I've now found not just one but two news sources ( opennet.ru is the most popular Linux news website for Russian speaking readers and has tens of thousands of visits daily) and that's called "no reliable sources". What's a reliable source of anything Linux related? Engadget? Wired? Who decides what is reliable?? That's outright disgusting. And I'm 100% sure the people who revert my edits do so without knowing anything either about Linux or security in general. This is not "*Pedia", this is "We put our rules above extremely serious stuff". Suit yourself.
This is the reverted part. I'll leave it here for posterity. That's my text, it's pertinent for the discussion page:
Systemd changes
As a result of this incident a question [1] of unneeded dependencies in Systemd was raised [2] [3] and it led to the project being reworked and dropping link-time dependencies on many libraries including, gcrypt, LZ4, ZSTD, LZMA and BPF. An objection that dependencies had now become hidden and non-transparent was raised but systemd developers refuted it and said that support for unneeded libraries could be disabled completely at compilation time. [4]
References
- ^ "Reduce dependencies of libsystemd · Issue #32028 · systemd/systemd". GitHub. Retrieved 2024-04-07.
- ^ Darkcrizt (2024-04-06). "In systemd the idea of reducing libsystemd dependencies is raised". Linux Adictos. Retrieved 2024-04-08.
{{ cite web}}
: zero width space character in|title=
at position 24 ( help)- ^ "Инициатива по сокращению зависимостей у libsystemd". www-opennet-ru.translate.goog (in auto). Retrieved 2024-04-08.
{{ cite web}}
: CS1 maint: unrecognized language ( link)- ^ "Reduce dependencies of libsystemd · Issue #32028 · systemd/systemd". GitHub. Retrieved 2024-04-07.
Artem S. Tashkinov ( talk) 14:40, 8 April 2024 (UTC)
@ Eric lagergren: in these edits, you removed the word "the" which I had added, following the advice of WP:FALSETITLE. Your edit comment was "grammar". This is not an issue of grammar, but of style. As our article false title points out, omitting "the" in cases like "the programmer John Doe" is journalese and thus not appropriate for an encyclopedia. -- Macrakis ( talk) 14:44, 9 April 2024 (UTC)
The result of the move request was: not moved. per consensus. – robertsky ( talk) 08:50, 30 April 2024 (UTC)
XZ Utils backdoor → XZ backdoor – This looks like the more common name used in sources [2] [3] [4] [5] Tehonk ( talk) 18:10, 20 April 2024 (UTC)
It has been noted by many that the choice of name "Jia Tan", while not likely to be a real Chinese name, was probably chosen to cast suspicion on China in the event of discovery. The introduction of this article indicates that the backdoor was introduced by Jia Tan without so much as quotation marks around the name. A footnote is provided clarifying the anonymity of Jia Tan (though without commenting on the choice of name). Anyone skimming the article intro or reading the Google summary having googled "xz backdoor" will never even see that footnote. If indeed the name was chose to direct suspicion at China, whoever's idea it was must be very pleased to see that Wikipedia is aiding the cause.
In other words, I really think some indication of the nature of "Jia Tan" should be included in the introduction. Blex-max ( talk) 12:01, 9 May 2024 (UTC)
It has been noted by many that the choice of name "Jia Tan", while not likely to be a real Chinese name, was probably chosen to cast suspicion on China in the event of discovery.Do you have a reliable source to support this? It seems entirely speculative. The name used was "Jia Tan". That is a fact. Facts are objective. If readers draw unreasonable inferences, so be it, Wikipedia is not censored. Local Variable ( talk) 03:19, 19 May 2024 (UTC)
I have asked the user Xkcd ( Randall Munroe) to consider licensing 'xkcd no. 2347 Dependency' under a Commons compatible license, for inclusion into this article. The message text and response(s), if any, has been transcluded below.
Extended content
|
---|
Hi @
Xkcd. Your comic
'xkcd no. 2347 Dependency' has been mentioned by many reliable sources as capturing the essence of the fiasco surrounding the
XZ Utils backdoor. I have added an external link to it with
this edit on 2024-04-12 (2 months ago), and the change appears to be stable. |