• Prologue 2005 - 2008
    Lasse Collin, with help from others, designs the .xz file format using the LZMA compression algorithm.
  • Jia Tan's First Patch 2021-10-29
    Jia Tan sends first, innocuous patch to the xz-devel mailing list, adding “.editorconfig” file.
  • Jia Tan's Second Patch 2021-11-29
    Jia Tan sends second innocuous patch to the xz-devel mailing list, fixing an apparent reproducible build problem.
  • Another Patch by Jia Tan 2022-04-19
    Jia Tan sends yet another innocuous patch to the xz-devel mailing list.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing. At this point, Lasse Collin has already landed four of Jia Tan’s patches.
  • Inquiry about XZ for Java 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies apologizing for slowness and mentions "Jia Tan has helped me off-list with XZ Utils and he might have a bigger role in the future at least with XZ Utils."
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing.
  • Dennis Ens Inquiry 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential future role and the need for change due to limited resources.
  • Jigar Kumar's Pressure Email 2022-05-27
    Jigar Kumar sends a pressure email regarding the delay in merging patches.
  • Jigar Kumar's Java Thread Email 2022-06-07
    Jigar Kumar sends an email to the Java thread, discussing the need for a new maintainer.
  • Lasse Collin's Pushback 2022-06-08
    Lasse Collin addresses concerns, mentioning his health issues and collaboration with Jia Tan.
  • Jia Tan's First Commit 2022-06-10
    Lasse Collin merges the first commit with Jia Tan as the author in the git metadata.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing, noting the slow pace of patch acceptance.
  • XZ for Java Inquiry 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Response 2022-05-19
    Lasse Collin replies, acknowledging the need for change and hinting at Jia Tan's future role.
  • Jugar Kumar's Pressure 2022-06-14
    Jugar Kumar sends a pressure email, expressing doubt about the project's progress and suggesting changes in maintainership.
  • Dennis Ens's Pressure 2022-06-21
    Dennis Ens sends a pressure email, suggesting Lasse Collin to reconsider the project's maintainership due to his mental health issues.
  • Lasse Collin on Maintainership 2022-06-21
    Lasse Collin replies, indicating Jia Tan's increasing role and the ongoing changes in maintainership.
  • Jigar Kumar on C Patch 2022-06-22
    Jigar Kumar sends a pressure email regarding the progress on a C patch, questioning Jia Tan's involvement.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing. At this point, Lasse Collin has already landed four of Jia Tan’s patches.
  • Inquiry by Dennis Ens 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential bigger role in the future with XZ Utils due to limited resources.
  • Jia Tan's Release Summary 2022-09-27
    Jia Tan gives release summary for 5.4.0, mentioning the plan for the multi-threaded decoder release in December.
  • Project Maintainers Update 2022-11-30
    Lasse Collin changes the bug report email to an alias that goes to him and Jia Tan, indicating Jia Tan as a project maintainer.
  • Jia Tan's First Direct Merge 2022-12-30
    Jia Tan merges the first commit directly into the xz repo, indicating they have commit access.
  • Lasse Collin's Final Release 2023-01-11
    Lasse Collin tags and builds his final release, v5.4.1.
  • Jia Tan's First Release 2023-03-18
    Jia Tan tags and builds their first release, v5.4.2.
  • oss-fuzz Configuration Update 2023-03-20
    Jia Tan updates Google oss-fuzz configuration to send bugs to them.
  • Jigar Kumar's Complaint 2022-04-22
    “Jigar Kumar” sends first of a few emails complaining about Jia Tan’s patch not landing. At this point, Lasse Collin has already landed four of Jia Tan’s patches.
  • Dennis Ens Inquiry 2022-05-19
    “Dennis Ens” sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential bigger role in the future with XZ Utils due to limited resources.
  • Hans Jansen's Patches 2023-06-22
    Hans Jansen sends patches that use the “GNU indirect function” feature, providing a hook for potential future modifications.
  • Jia Tan Disables ifunc Support 2023-07-07
    Jia Tan disables ifunc support during oss-fuzz builds, claiming incompatibility with address sanitizer.
  • Website Migration to GitHub Pages 2024-01-19
    Jia Tan moves the XZ Utils website to GitHub pages, gaining control over the webpage.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing, despite Lasse Collin already landing four of Jia Tan’s patches.
  • XZ for Java Inquiry 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential future role and the need for changes due to limited resources.
  • Hidden Backdoor Code 2024-02-23
    Jia Tan merges hidden backdoor binary code inside some binary test input files, claiming these files are for testing decoder implementations.
  • Malicious Build-to-host.m4 2024-02-24
    Jia Tan tags and builds v5.6.0, including a malicious build-to-host.m4 in the distribution, which adds a backdoor when building a deb/rpm package.
  • Gentoo Crashes 2024-02-24
    Gentoo starts seeing crashes in 5.6.0, likely due to an ifunc bug rather than the hidden backdoor.
  • Debian Adds xz-utils 5.6.0-0.1 2024-02-26
    Debian adds xz-utils 5.6.0-0.1 to unstable, incorporating the new version with potential security risks.
  • Debian Adds xz-utils 5.6.0-0.2 2024-02-28
    Debian updates xz-utils to 5.6.0-0.2 in unstable, continuing to deploy the latest version.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing. Lasse Collin has already landed four of Jia Tan’s patches.
  • XZ for Java Inquiry 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential future role and the need for changes due to limited resources.
  • Pull Request by @teknoraver 2024-02-29
    On GitHub, @teknoraver sends pull request to stop linking liblzma into libsystemd, potentially thwarting an attack.
  • Jia Tan's Subtle Typo 2024-02-28
    Jia Tan breaks landlock detection in configure script by adding a subtle typo, possibly setting up for a future attack.
  • Valgrind Errors in liblzma 2024-03-04
    RedHat distributions start seeing Valgrind errors in liblzma’s _get_cpuid, indicating a potential backdoor entry.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing. Lasse Collin has already landed four of Jia Tan’s patches.
  • Inquiry by Dennis Ens 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential bigger role in the future with XZ Utils.
  • The libsystemd PR Merge 2024-03-05
    The libsystemd PR is merged to remove liblzma.
  • Debian Adds xz-utils 2024-03-05
    Debian adds xz-utils 5.6.0-0.2 to testing.
  • Jia Tan's Commits 2024-03-05 to 2024-03-09
    Jia Tan commits two ifunc bug fixes and updates backdoor files, among other actions.
  • Hans Jansen Advocates for Update 2024-03-25
    Hans Jansen files a Debian bug to get xz-utils updated to 5.6.1, with support from new email addresses.
  • Jia Tan Files Ubuntu Bug 2024-03-28
    Jia Tan files an Ubuntu bug to get xz-utils updated to 5.6.1 from Debian.
  • Jigar Kumar's Complaint 2022-04-22
    "Jigar Kumar" sends first of a few emails complaining about Jia Tan’s patch not landing. Lasse Collin has already landed four of Jia Tan’s patches.
  • Dennis Ens' Inquiry 2022-05-19
    "Dennis Ens" sends mail to xz-devel asking if XZ for Java is maintained.
  • Lasse Collin's Reply 2022-05-19
    Lasse Collin replies, mentioning Jia Tan's potential bigger role in the future with XZ Utils due to limited resources.
  • Andres Freund's Discovery 2024-03-28
    Andres Freund discovers bug, privately notifies Debian and distros@openwall. CVE-2024-3094 assigned.
  • Debian's Rollback 2024-03-28
    Debian rolls back 5.6.1, introducing 5.6.1+really5.4.5-1.
  • Andres Freund's Public Warning 2024-03-29
    Andres Freund posts backdoor warning to public oss-security@openwall list.
  • RedHat's Announcement 2024-03-29
    RedHat announces that the backdoored xz shipped in Fedora Rawhide and Fedora Linux 40 beta.
  • Debian's Build Shutdown 2024-03-30
    Debian shuts down builds to rebuild their machines using Debian stable.