Is there a danger in using the current FreeBSD version?
I read about the Wikipedia article about the backdoor in XZ. It was only in the developer version and not in production.
Now Netflix is "current" (develop) version of FreeBSD. Doesn't that put Netflix in danger to suffer from the same security problem?
I mean when there is a new security hole that in a preview build that has not yet been discovered like in the case of xz. after all, most Linux installations were protected from it because it was not in the "production"/stable version, only in the development version.
1 answer
No. There is no known danger. The XZ backdoor was serious and very nearly became a catastrophe, but it was patched before release.
A few things happened as a result of the XZ debacle, wherein:
- 👍 A number of developers went on a tear looking for other planted vulnerabilities when XZ was fixed.
- 👍 There was a heightened awareness of supply-chain vulnerabilities from "helpful" (and particularly from forceful) contributors.
- 👎 There was a rash of accusations about various people who had been contributors or bug reporters being sock puppets for hackers.
Software has bugs. Use software (on your computer or the cloud) according to your risk tolerance. Netflix makes their own decisions, and you can decide whether that's in line with your preferences. Bear in mind that really old software has had more time to be patched but may have exploits that are better-known!
I think you are asking about this now rather than two years ago because of the interest sparked by a Veritasium documentary on YouTube. The documentary is actually quite good and has interviews with first-party sources.
1 comment thread
0 comment threads