• GarlicToast@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    You are right, it will be a mess to pull xz from a different hash. This is why you go back to an older build, and keep only packages you need on the newer version.

    • Atemu
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Those packages themselves depend on xz. Pretty much all of them.

      What you’re suggesting would only make the xz executable not be backdoored anymore but any other application using liblzma would still be as vulnerable as before. That’s actually the only currently known attack vector; inject malicious code into SSHD via liblzma.