transcript

Screenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence “This was a blatant violation of the Debian Free Software Guidelines” is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption “What, are you a fucking park ranger now?” from the scene where that line was spoken.

  • @xantoxis
    link
    67 months ago

    Well, I think they should revoke that guy’s PGP key

    • @computergeek125
      link
      English
      27 months ago

      Isn’t the point of PGP/GPG that there’s no central database?

      • @[email protected]
        link
        fedilink
        27 months ago

        Yes, he will always be able to prove that’s it’s him. But if they revoke the permissions of that key he can’t do any more damage