SSH Key Update

On 2024-03-29, a backdoor was publicly disclosed in the XZ Utils software. Inferencium systems did have the affected versions of this software installed, and the tools were used. The software has since been downgraded to the last-known safe version.

After extensive research, it has been discovered that specific criteria must be met for the backdoor to be effective. Based on what is known, Inferencium systems are unaffected by this attack for the following reasons:

The only criteria met by Inferencium systems is amd64 as the system architecture; this is not enough for the backdoor to be effective. Even if all criteria other than running glibc were met, Inferencium systems would still be unaffected by this attack due to musl not supporting the required IFUNC functionality which the backdoor seems heavily dependent on.

Despite the evidence, it is unknown exactly what this malicious code does and is capable of in entirety. As a precautionary measure, I have generated a new SSH key and classified the previous key as compromised. You can find my new key on the Key webpage.

There is no evidence that my previous key was compromised, so this is entirely a precautionary measure. All files and Git commits, tags, and releases signed with the previous key, even after discovery of the backdoor, up to 2024-04-01, are secure and validly signed by me; the key should not be trusted after this date.

I completely support Lasse Collin during this time. Support should be provided to him for what occurred to his project and how it was sabotaged. He clearly had good intentions and was burnt out from the commitment to his project, which led to Jia Tan taking advantage of him. He has posted his own, official statement on behalf of the XZ Utils project and how it intends to move forward. Assistance should be provided to support both him and the community.


Source Code Mirror - Codeberg

Inferencium source code repositories are now mirrored at Codeberg. In case of service disruption of the main Inferencium source code repositories, the mirrors can be used to access the source code.

Due to terms of service restrictions, proprietary code and related repositories, such as firmware, are unable to be mirrored to Codeberg.