Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The latest commit is interesting (f9cf4c05edd14, "Fix sabotaged Landlock sandbox check").

It looks like one of Jia Tan's commits (328c52da8a2) added a stray "." character to a piece of C code that was part of a check for sandboxing support, which I guess would cause the code to fail to compile, causing the check to fail, causing the sandboxing to be disabled.



Lasse has also started his own documentation on the incident.

https://tukaani.org/xz-backdoor/


Shouldn't they have tests running to ensure that the check works on at least some systems?


What do you mean "tests"?


Have a system were you wxpect the sandboxing to work and have an automated check that it compiles there?


Part of the backdoor was in the tests. The attacker in this case could easily have sabotaged the test as well if a test was required.


If your project becomes complex enough eventually you need tests for the configure step. Even without malicious actors its easy to miss that a compiler or system change broke some check.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: