Talk:XZ Utils

Implementation section doesn't discuss underlying implementation
Instead, it's literally just a manual page for the command line interface.2600:1015:B128:AD42:10F0:916:7055:A3DE (talk) 07:59, 15 February 2019 (UTC)
 * Yep. I have renamed the section to Usage. &mdash;Fezzy 1 3 4 7 Let's chat 21:25, 5 February 2021 (UTC)

Add warning for usage given the compromised upstream code
Debian has located a major vulnerability in the code and shown that the liblzma code base in compromised. I think the wiki article should reference this.

Relevant Link https://www.openwall.com/lists/oss-security/2024/03/29/4 Vigh m (talk) 17:09, 29 March 2024 (UTC)


 * I second this. It's probably worth noting that many affected distributions have released patches for it, however at this stage nobody knows a whole lot about what's happened as far as I can see.
 * Archlinux announcement: https://archlinux.org/news/the-xz-package-has-been-backdoored/
 * Debian stable announcement: https://lists.debian.org/debian-security-announce/2024/msg00057.html
 * RedHat announcement (relevant to RHEL, Fedora): https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Pave unpaved (talk) 06:51, 30 March 2024 (UTC)
 * I added Alpine Linux to the list of affected Linux distros, but I'm not sure whether to include the page within their security database (https://security.alpinelinux.org/vuln/CVE-2024-3094), or the affected commit (https://gitlab.alpinelinux.org/alpine/aports/-/commit/11bc4fbf6b6fe935f77e45706b1b8a2923b2b203). I cited the latter, but should I change it to the page in the security database? Mintphin (talk) 16:35, 30 March 2024 (UTC)
 * After some talk with people involved in the project, Alpine is unaffected due to the attack using a function implemented in glibc but not on musl libc, which Alpine uses. Mintphin (talk) 16:48, 30 March 2024 (UTC)
 * it took way too long but we got a proper post https://alpinelinux.org/posts/XZ-backdoor-CVE-2024-3094.html Selfisekai (talk) 16:45, 1 April 2024 (UTC)
 * I think this chapter should be split into a different page. This probably satisfies the conditions for WHENSPLIT:
 * There's still more information on this incident that could be added as it is a current event. This section already takes 3 whole paragraphs and it can take more. SIZESPLIT
 * Other relevant information such as the identity of the attacker(s?) and their activity timeline could be added. This information is distinct enough from the XZ Utils itself CONSPLIT
 * Abogical (talk) 02:37, 31 March 2024 (UTC)
 * I don't think 3 paragraphs warrants a split, however, it might warrant a split if there is more coverage. Sohom (talk) 06:16, 31 March 2024 (UTC)
 * I think it is less about how many paragraphs per se, but simply that the overall situation of the compromised code/account, is not necessarily what most people coming to this wikipedia page, on average, want to read about. Yes, right now they want to, but I think in a few months this may be different; and not everything related to the compromised situation is about xz, per se. So I think it may be better to add a separate, own article - there people have a bit more freedom to extrapolate and analyse. 2A02:8388:1643:D680:A2AE:5A8A:4BF3:8401 (talk) 01:14, 1 April 2024 (UTC)
 * Agreed with the above, this isn't at the level as something like Log4Shell yet. Keeping it in the article is fine. PolarManne (talk) 15:50, 31 March 2024 (UTC)
 * I support the split, this seems pretty significant, one of the most important supply chain attack incidents, interesting details and coverage keeps surfacing and there are more to come it seems, and there is already enough coverage to add more things that makes it distinct enough to an article I think. Tehonk (talk) 19:42, 31 March 2024 (UTC)
 * The split is probably going to be necessary once people make a name/logo and all.
 * In other news: I just blocked out the stable release field in the infobox. If I can find confirmation from a safe source that there is a latest safe version I'll let you know, but the bad actor's been working on this for a year and a half.. ItzSwirlz (talk) 00:08, 1 April 2024 (UTC)
 * I think the stable release wasn't concieved keeping this situation in mind. However, I agree with your edit. Regarding the split, it will probably be required at some point. However, as of now, it is not required (imo) Sohom (talk) 00:18, 1 April 2024 (UTC)
 * Welll... it didn't occur to me to check if there's a page for XZ Utils, so I wrote CVE-2024-3094 as a standalone article, and only after putting it into mainspace, I found this discussion.
 * I suppose we let this discussion run its course, and then we'll see if the separate article should be kept or deleted.
 * As for my opinion, I think there is merit to having this in a separate article given that while the backdoor is in xz, the target seems to be OpenSSH. To me, this event transcends xz itself.  Mel ma nn   13:09, 1 April 2024 (UTC)


 * No split right now (based on size). We also have the article supply chain attack where it's covered, which also currently doesn't need splitting right now based on size, but if the topic outgrows either it could be split. Of note, other articles I checked with security incidents weren't split, so I'm not presuming this will ever need splitting. Widefox ; talk 12:34, 1 April 2024 (UTC)
 * Don't split at the moment, though no opposition to a potential split later if more coverage and sources emerge. Sources in the article currently seem to be a mix of primary sources (e.g. mailing list archives, GitHub Gists, bug tracker entries) and routine security advisory announcements. A cursory search brings up some news coverage, but not much . I wouldn't be surprised if this gets more coverage, but right now there's not enough sourcing for an independent article. Dylnuge  (Talk • Edits) 13:15, 1 April 2024 (UTC)
 * Comment has been split to XZ utils backdoor. Widefox ; talk 19:26, 1 April 2024 (UTC)
 * As stated above, had I known about this discussion, I would have waited. But I only found this discussion after I had already created the article in mainspace.
 * I think this discussion can run its course, and if the consensus is to not split, any unique content of XZ Utils backdoor can be merged here.  Mel ma nn   22:59, 1 April 2024 (UTC)

xz format
xz format: https://news.ycombinator.com/item?id=39873112

can it be added to corresponding section? 176.52.113.35 (talk) 15:51, 31 March 2024 (UTC)

Who is Mike Kezner?
The Development and Adoption section mentions Mike Kezner as the "leader" of the Tukaani project. This was quietly added in december 2011 by an anonymous IP edit with no comment, and I can find no reference to this being the case. The Tukaani project's about page (tukaani.org/about.html) does not mention his name as a contributor, nor does any archived version of the page or of the previous about page (tukaani.org/about). The IP account that created this edit has also made four other edits to other articles, adding "Mike Kezner - sitar" to the credits of a Taylor Swift album, "Mike Kezner - sitar" to the credits of a Coldplay album, "Mike Kezner - sitar" to the band members of Free Energy, and "Mike Kezner - production, arrangement, sitar" to a greatest hits album of Norwegian teen-pop band M2M. This seems like an obvious troll, the other edits by this IP should probably also be reverted. — Preceding unsigned comment added by 185.25.79.187 (talk) 12:42, 4 April 2024 (UTC)


 * Mention of Mike Kezner now removed as per my last edit. 185.25.79.187 (talk) 12:47, 4 April 2024 (UTC)
 * Good catch, anon. Tehonk (talk) 22:35, 8 April 2024 (UTC)

License is under 0BSD now, not Public Domain
From the license file (https://github.com/tukaani-project/xz/blob/master/COPYING), it was recently shown that it was moved from the public domain, and is now under a 0BSD license. DevStik (talk) 03:44, 30 June 2024 (UTC)