Confirmation of package safty regarding to recent xz vulnerability about electron-builder HOT 2 OPEN

Ah, great callout! This is certainly a great topic to bring up 🙂

Re: the discussion page, I found it impossible for me to monitor as I wasn't receiving proper notifications for it any community members weren't actively contributing to it, so I deactivated it to consolidate in Issues as it was being used as previously

Re: 7zip-bin, I don't manage that project so I'm not familiar with how the binaries were provided/committed. When was the xz backdoor introduced? The last commits on the 7zip-bin project are 2+ years old as you mentioned, so I'd like to correlate timestamps with that first.

For app-builder-bin, I'm also not too positive as I'm not familiar with the implementation, so I would encourage opening a GH Issue on that repo and link back here. We can ping the owner of the repo to do a thorough investigation of that. From what I gather, it does use the xz installed on the system, but worth pinging the owner anyhow to double check.

from electron-builder.

Re: 7zip-bin, I don't manage that project so I'm not familiar with how the binaries were provided/committed. When was the xz backdoor introduced? The last commits on the 7zip-bin project are 2+ years old as you mentioned, so I'd like to correlate timestamps with that first.

From what I read, the compromised xz packages were versions 5.6.0, released on 2024-02-24, and version 5.6.1, released on 2024-03-09.

For app-builder-bin, I'm also not too positive as I'm not familiar with the implementation, so I would encourage opening a GH Issue on that repo and link back here.

I created a ticket here: develar/app-builder#115

from electron-builder.