xz backdoor and freeciv

New releases, projects, multiplayer games, etc.
Post Reply
Posts: 3136
Joined: Tue Jan 29, 2013 6:54 pm

xz backdoor and freeciv

Post by cazfi »

Week ago, backdoor code was found in the xz compression library. This has lead to delays in entire operating system releases as various organizations have been evaluating the effects the finding have in their software stacks.

For freeciv.org, the happy conclusion is that we have never shipped anything affected.

Our own infrastructure, freeciv.org servers, never used affected versions of xz.

For some environments we provide entire runtime environment, in addition to freeciv program itself. These environments contain copy of xz. The environments are Windows (msys2 and crosser), and flatpak. Freeciv.org has never shipped any freeciv builds, not stable nor even snapshot or nightly, with affected xz versions. The only place where affected xz version has been available from our download locations is the development version of the next msys2 enviroment, but that version was not yet used even for the nightly builds in https://forum.freeciv.org/f/viewforum.php?f=30. Naturally, that version won't ever come to use, either, but we will make a new iteration to have it fixed before taking a new environment version to use. Also crosser development version briefly had affected xz version, but those crosser revisions were never used by freeciv.

Further, there's second, though weaker, layer of security in that even if the affected xz version had been shipped in these environments, the nature of the backdoor is such that it would remain dormant in our use of xz.
Post Reply