this post was submitted on 22 Dec 2025
67 points (98.6% liked)
Linux
10754 readers
1017 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Is this because of the xz utils thing? The backdoor was included into the tarball, but it wasn't in the git repo.
By switching away from tarballs they pribably hope to prevent that, although this article doesn't mention that. It's possible this shift has been happening since before the xz utils.
Not really. If xz were the issue, Debian would have just switched to a different tarball format like lz4.
This is more about Debian packaging conventions being very archaic and requiring a lot of futzing with upstream tarballs and patches.
The backdoor of the xz utils program(s) was in the tarball release, but not the main source code:
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
If debian had dodged the upstream tarball, then they wouldn't have been affected by this.
I mean, that's true, but that doesn't mean that's why Debian's doing it.
If they were solving just that, then they would have just pushed for something like a reproducible tarball where you can point to a commit, branch, tag, etcetera from which that tarball can be reproduced and not bother migrating their package format.
Debian has a serious ease-of-packaging issue that I've witnessed first-hand, and I think they've made it clear that it's moreso the ease factor they're focused on that the security factor.