Pack | lbzip2 | |
---|---|---|
1 | 2 | |
234 | 125 | |
10.7% | - | |
6.0 | - | |
about 2 months ago | over 1 year ago | |
Pascal | C | |
Apache License 2.0 | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Pack
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
The `pack`[0] compression utility that reached the HN front page the other day[1] is setting off my alarm bells right now. (It was at the time too, but now doubly so)
It's written in Pascal, and the only (semi-)documented way to build it yourself is to use a graphical IDE, and pull in pre-compiled library binaries (stored in the git repo of a dependency which afaict Pack is the only dependent of - appears to be maintained by the same pseudonymous author but from a different account).
I've opened an issue[2] outlining my concerns. I'm certainly not accusing them of having backdoored binaries, but if I was setting up a project to be deliberately backdoorable, it'd look a lot like this.
[0] https://pack.ac/
[1] https://news.ycombinator.com/item?id=39793805
[2] https://github.com/PackOrganization/Pack/issues/10
lbzip2
-
Xz format inadequate for long-term archiving (2022-02-02)
Spoiler: this lbzip2 code produces corrupted files in some cases, should we care if it is a backdoor? Or as usual, disable optimizations, disable valgrind, disable fuzzers and say that everything is ok?
[1] https://www.phoronix.com/news/Linux-6.9-Bcachefs-Attempt
[2] https://github.com/kjn/lbzip2/blob/b6dc48a7b9bfe6b340ed1f6d7...
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
The website change reminds me a bit of lbzip2.org https://github.com/kjn/lbzip2/issues/26#issuecomment-1582645... Although, at the moment, it only seems to be spam. The last commit was 6 years ago, so I guess that's better than a maintainer change...
What are some alternatives?
rust1 - rust1
stencil-golang - Template repository for Golang applications
tukaani-project