XZ Utils backdoor

This page will get updated as I learn more about the incident.

The Git repositories of XZ projects are on git.tukaani.org.

The email address xz at tukaani dot org forwards to me only. This change was made on 2024-03-30.

xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. Some links on tukaani.org are broken. This will be fixed in a few days.

I won’t reply for now because first I need to understand the situation thoroughly enough. It’s enough to reload this page once per 48 hours to check if this message has changed.

I have gotten a lot of email. Thanks for the positive comments. Unfortunately I don’t have time to reply to most of them.

I plan to write an article how the backdoor got into the releases and what can be learned from this. I’m still studying the details.

xz.git needs to be gotten to a state where I’m happy to say I fully approve its contents. It’s possible that the recent commits in master will be rebased to purge the malicious files from the Git history so that people don’t download them in any form when they clone the repo. The old repository could still be preserved in a separate read-only repository for history: the contents of its last commit could equal some commit in the new repository.

These will unfortunately but obviously take several days.

A clean XZ Utils release version could jump to 5.8.0. Some wish that it clearly separates the clean one from the bad 5.6.x.