XZ removes the contributions of the backdoor author in a key move for security.

In a move aimed at bolstering security, XZ has removed all contributions from the author identified as Jia Tan, who had introduced a backdoor in the XZ compression format utilities. This incident has been one of the biggest security scandals in the history of Linux. Fortunately, an investigation conducted by a Microsoft employee helped detect the vulnerability in time.

A Security Scandal in the World of Linux

The backdoor, which impacted the XZ format utilities, was not present in the source code but in the compiled binaries available to users, making it difficult to detect. This sophisticated attack had to bypass numerous barriers to avoid being discovered, and despite suspicions that may have arisen due to some changes in the source code, it initially went unnoticed.

Thanks to timely detection, measures were taken to avert severe consequences. However, the severity of the incident has led to a thorough review of the code and the implementation of significant changes to prevent similar future attacks.

Implemented Measures

Yesterday, a patch was released that introduced several key modifications. The most prominent one is the removal of Jia Tan as a maintainer of the software and the deletion of all his commit messages. Additionally, the XZ Embedded license has been changed from public domain to BSD Zero Clause License (0BSD).

The 0BSD license, despite its name, is not derived from any BSD license but is a modification of the ISC license. This license is permissive and allows greater flexibility in the use of the software. The XZ team explains that this change allows for the addition of matching SPDX license identifiers, enhancing code clarity and management.

Repercussions and Future

The removal of Jia Tan-related content was an expected measure due to the nature of the vulnerability. However, the license change has surprised some in the community. This change aims not only to enhance security but also to facilitate long-term collaboration and project maintenance.

Official Announcement

The official announcement was made by Lasse Collin, who detailed the license updates, filters, and compression options. Among the technical changes are improvements in documentation, the introduction of new filters for ARM64 and RISC-V, and adjustments to kernel compression options.

The statement emphasizes that the documentation review and the inclusion of new filters will allow for better kernel compression and increased security in construction processes.

Impact on the Community

This incident has underscored the importance of security in open-source projects. The Linux community, known for its collaboration and transparency, has taken swift and effective measures to mitigate the risks associated with the backdoor. Users are encouraged to download the latest version of XZ and stay informed about security updates and enhancements.

With these changes, XZ aims not only to recover from the incident but also to establish a higher standard of security and reliability in compression software.

Scroll to Top