tukaani-project
libarchive
tukaani-project | libarchive | |
---|---|---|
5 | 33 | |
- | 2,899 | |
- | 3.4% | |
- | 9.1 | |
- | 4 days ago | |
C | ||
- | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
tukaani-project
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
Thank you. If you wouldn't have explained the background, I totally would've thought that this is just an innocent typo.
(I still think it's like... 60% a typo? don't know)
Anyhow, other people called the CCing of JiaT75 by Lasse suspicious:
https://news.ycombinator.com/item?id=39867593
https://lore.kernel.org/lkml/20240320183846.19475-2-lasse.co...
Someone pointed out the "mental health issues" and "some other things"
https://news.ycombinator.com/item?id=39868881
https://www.mail-archive.com/[email protected]/msg00567.h...
Lasse is of course a Nordic name, and the whole project has a finnish name and hosting
https://news.ycombinator.com/item?id=39866902
If I wanted to go rogue and insert a backdoor in a project of mine, I'd probably create a new sockpuppet account and hand over management of the project to them. The above is worringly compatible with this hypothesis.
OTOH, JiaT75 did not reuse the existing hosting provider, but rather switched the site to github.io and uploaded there old tarballs:
https://github.com/tukaani-project/tukaani-project.github.io...
If JiaT75 is an old-timer in the project, wouldn't they have kept using the same hosting infra?
There are also some other grim possibilities: someone forced Lasse to hand over the project (violence or blackmailing? as farfetched as that sounds)... or maybe stole Lasse devices (and identity?) and now Lasse is incapacitated?
Or maybe it's just some other fellow scandinavian who pretends to be chinese and got Lasse's trust.
Is the same person sockpuppeting Hans Jansen? It's amusing (but unsurprising) that they are using both german-sounding and chinese-sounding identities.
That said, I don't think it's unreasonable to think that Lasse genuinely trusted JiaT75, genuinely believed that the ifunc stuff was reasonable (it probably isn't: https://news.ycombinator.com/item?id=39869538 ) and handed over the project to them.
And at the end of the day, the only thing linking JiaT75 is a swedish/finnish racist joke which could well be a typo. People already checked the timezone of the commits, but I wonder if anyone has already checked the time-of-day of those commits... does it actually match the working hours that a person genuinely living (and sleeping) in China would follow?
libarchive
-
The XZ attack and timeline
29. October 2021 At this point Jia Tan pops up, and the first thing we see from him is an innocuous patch to the xz repository, and while a lot of people believe he started out trying his luck with another library also known as libarchive, this is not the case, I would bet it’s more of a backup looking at the dates, being that there are a few days in between as shown in this commit.
- Zip entry size unset now honors user requested compression level
- Suspicious libarchive pull request
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
Potentially malicious commit by same author on libarchive: https://github.com/libarchive/libarchive/pull/1609
- WinRAR musste shady werden.
-
Making Amiga IFF Thumbnails Work in Linux
Full agreement, and with the addition of xpk¹/xfd² as natural extensions to that extensibility too. I see things like xfd supporting xz¹, and I'm simultaneously amazed that it exists and happy that I don't need to do xz {,de}compression on 68k ;)
I guess we have something similar-ish with libarchive⁴, but nobody(including me) has pushed the extra mile to get file dialogs to support random compression and decompression formats.
Beyond OT: I didn't realise how much stuff was still going on at aminet, but I love love LOVE that people are still dropping new car sets for Geoff Crammond's F1GP.
¹ http://aminet.net/package/util/pack/xpk_User
² http://aminet.net/package/util/pack/xfdmaster
³ http://aminet.net/package/util/pack/xfd_lzma.lha
⁴ https://www.libarchive.org/
-
WinRAR zero-day exploited since April to hack trading accounts
I don't have a preview channel install handy to check, but apparently they're using libarchive so here's the full list assuming they expose everything it supports:
https://github.com/libarchive/libarchive/wiki/LibarchiveForm...
-
Announcing Windows 11 Insider Preview Build 23493 for the Dev Channel
As announced at the Build conference back in May, this build adds native support for reading additional archive file formats using the libarchive open-source project such as
-
Poor winrar
LibarchiveFormats · libarchive/libarchive Wiki · GitHub
-
Windows 11 getting native support for 7-Zip, RAR, and GZ archives
Seems what they're using is BSD-liscensed: https://github.com/libarchive/libarchive/wiki
What are some alternatives?
systemd - The systemd System and Service Manager
ZLib - A massively spiffy yet delicately unobtrusive compression library.
xz - XZ Utils [GET https://api.github.com/repos/tukaani-project/xz: 403 - Repository access blocked]
7z - Because 7-zip source code was in a 7z archive [mirror]
homebrew-core - 🍻 Default formulae for the missing package manager for macOS (or Linux)
p7zip - A new p7zip fork with additional codecs and improvements (forked from https://sourceforge.net/projects/sevenzip/ AND https://sourceforge.net/projects/p7zip/).
wasmtime - A fast and secure runtime for WebAssembly
fpart - Sort files and pack them into partitions
rust1 - rust1
pixz - Parallel, indexed xz compressor
openconnect
Klib - A standalone and lightweight C library