.png)
GitHub has re-enabled access to the xz repositories. The platform had previously taken them offline due to the discovery of a backdoor in the compression tool. After new commits, the backdoor has been removed and Jia Tan, the unknown maintainer, has been removed.
The repositories for both xz and xz-utils, as well as xz-embedded and xz-java, are back online. Last week, GitHub took the repositories offline when it was revealed that the commonly used compression tool xz contained malware. It was later determined that a deliberate backdoor had been inserted.
Lasse Collin, one of the two lead developers of the repo, stated on his website that the Git repos can now be accessed on GitHub, allowing researchers to review the changes that have been made. Collin mentioned on his website that he has no knowledge of Jia Tan's involvement. Jia Tan, alongside Collin, was the main maintainer who inserted the backdoor into xz.
Collin mentioned that the email address and website are only accessible to him. In a commit, he stated that he is the sole maintainer for the time being and that Jia Tan 'suddenly' disappeared after the backdoor was discovered. Collin also posted a commit confirming that the backdoor has been removed. He has also implemented a responsible disclosure policy, requesting researchers to allow thirty days for fixes to be made.
English (US)