app-arch/xz-utils: Sync with Gentoo (revert to known-good) #1816
Conversation
There was a problem hiding this comment.
https://gitweb.gentoo.org/repo/gentoo.git/log/app-arch/xz-utils -> I think a portage stable update will catch these two commits upstream and there will be no need for a separate commit.
The sync works on a file base for now at least and we sync the whole directories but not commits. |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/8534708530 |
I was referring to the fact that the portage stable sync will contain the relevant file fixes. |
|
I did similar change in my weekly updates branch. We downgrade to 5.4.2 which is the last version released by the previous maintainer. |
|
I want to backport this to Alpha |
pothos
force-pushed
the
kai/remove-xz-5.6
branch
from
b7c20ff to
80576e6
Compare
pothos
force-pushed
the
kai/remove-xz-5.6
branch
from
80576e6 to
5a727e7
Compare
pothos
changed the title
Updated now that we can backport to Stable and downgrade everything to 5.4.2 as last known-good release like Gentoo did. |
|
Should we also rebuild the SDK? Doing so would need a note for the next person tagging the releases and starting the builds. |
The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't used in Flatcar and so far it seems that the backdoor wouldn't even be compiled for Gentoo. However, we so far don't know whether the other patches are malicious. Revert to 5.4.2 as last known-good release (like Gentoo did). Note that the Flatcar main branch had a copy of the 5.6 ebuild but was not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but the malicious contributor did other changes of unclear impact part of this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These should get downgraded, too.
pothos
force-pushed
the
kai/remove-xz-5.6
branch
from
5a727e7 to
29dae1e
Compare
app-arch/xz-utils: Sync with Gentoo (revert to known-good)
app-arch/xz-utils: Sync with Gentoo (revert to known-good)
app-arch/xz-utils: Sync with Gentoo (revert to known-good)
I'd do it. Maybe the note can be added somewhere in release planning board? |
|
FYI ->Gentoo upstream blacklisted xz-utils 5.4.3 this way-> https://github.com/flatcar/scripts/pull/1788/files#diff-0e9c768a2a09eafc2d45cecaf99e8f68735e67877e7986ee387dab561be0f86dR25. |
I did the similar in the weekly updates PR: https://github.com/flatcar/scripts/pull/1788/files#diff-0e9c768a2a09eafc2d45cecaf99e8f68735e67877e7986ee387dab561be0f86d This will be dropped though, on the follow-up weekly updates, when we inherit the mask from Gentoo. |
The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't
used in Flatcar and so far it seems that the backdoor wouldn't even be
compiled for Gentoo. However, we so far don't know whether the other
patches are malicious.
Revert to 5.4.2 as last known-good release (like Gentoo did).
Note that the Flatcar main branch had a copy of the 5.6 ebuild but was
not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but
the malicious contributor did other changes of unclear impact part of
this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These
should get downgraded, too.
How to use
Backport to Stable, just to be sure
Testing done