The #xz vulnerability really has me feeling good about not living on the bleeding edge. I'm sure there's still some risk of a terrible backdoor somewhere in Debian or Ubuntu that hasn't been found yet, but at least there's a much higher chance of someone catching it before it bites me.
Only thing of mine that was affected was my Termux installations on my Android devices, something I never use for SSH anyway.
@Alex I work in tech, and for that reason I often hold off updating to the latest and greatest until enough time has passed to have early adopters run into whatever bugs or issues are introduced.
It saved me a lot of work and frustration a few times already.
@n3wjack Agreed. I have been playing with Plasma 6 in a VM and can't wait to make it my daily driver, but I just can't trust it yet. Too much new stuff.
I am happy to test, but not at the expense of my real-world productivity or security.
@Alex If I understand the vulnerability correctly, the android case would only have mattered if you'd had an SSH *server* on the phone.
@aaribaud That's right. Pretty much a non-issue for what I use Termux for.
@Alex weird post. Some minor observations:
- not-bleeding edge won't protect from backdoors (often to the contrary)
- it's not about Debian (actually, Debian have found it for everyone) or Ubuntu
- probablility of catching inversely correlates to its age
- you may never know what's wrong until someone figures it out. For what we know your system can be full of backdoored stuff.
Otherwise yes, it's lucky that it's been found out so fast, I can't even tell HOW lucky really.