XZ and You
The xz
(really, liblzma
) attack was never possible on macOS.
The backdoor requires
glibc
, but Apple ships its ownlibc
The backdoor depended on
systemd
to loadsshd
- the actual injection mechanism attackedsystemd
which, for reasons links toliblzma
. macOS doesn't includesystemd
at all; andThe backdoor code was only injected during build if
make
was run on (a) Linux and (b) when creating adpkg
or anrpm
.
All that said, we are brute-force deleting xz
5.6.0 and 5.6.1 from the common Homebrew paths - /opt/homebrew/Cellar/xz/5.6.0
, /usr/local/Cellar/xz/5.6.0
- on all systems anyway. If someone installed brew
in some other path, like their home directory, we are not going to seek it out and delete it.
Russ Cox (co-creator of Go, among other things) has a serious in-depth explanation: