The xz project has its code embedded to server access via the secure shell protocol, a notable feat according to Russ Cox. Originating from the mind of Lasse Collin, xz employs the LZMA compression algorithm, outperforming gzip by compressing files to just 70% of their original size. This superior compression has garnered widespread popularity, even being adopted by the Linux kernel itself. Despite its inception in 2005, Lasse has continued to oversee the project diligently.
In October 2021, Jia Tan began submitting small patches without any irregularities. However, in April 2022, after another patch submission, Jigar Kumar inquired about the delays in patch review. When Dennis Ens asked if there was still someone maintaining xz for Java, Lasse Collin revealed that he and Jia had been struggling to keep up with the continuous patch submissions. Consequently, Lasse granted Jia maintainer rights, and Jia made his first commit by the end of 2022.
Jia’s first version to build was 5.4.2, and he proceeded to contribute additional code, fixing oss-fuzz configuration for code security checks by Google before migrating the website to GitHub for easier maintenance.
The covert pathway implementation began in late February 2024 (around two and a half years since initial contact) releasing version 5.6.0 shortly after.
Meanwhile, the systemd project is considering integrating liblzma with libsystemd, with any potential vulnerabilities in liblzma not affecting the outcome. This could potentially prompt Jia to hasten vulnerability patching to align with mainstream Linux versions before systemd. In the midst of this, Hans Jansen is pushing Debian to swiftly adopt the new xz version.
The process reveals that Jia took a significant amount of time before getting started. Without the pressure from systemd patches, he may have produced even higher-quality vulnerabilities that aren’t as easily exploitable as the current situation.
TLDR: The xz project utilizes advanced compression techniques and faces challenges in maintaining and patching vulnerabilities, with the potential for further improvements in security measures and integration with system libraries in the future.
Leave a Comment