Hyperbola as projects follows the approach to provide a long-term oriented support and therefore combined also updates with focus on security, privacy and also free, permissive licensing only. While our major focus lies only on community-oriented software we also do not follow to include always the newest versions of those projects.

With this article we explain our perspectives on upgrades and the approach we are following for Hyperbola GNU/Linux-libre and also HyperbolaBSD as BSD-descendant operating-system.

Hyperbola was and is never intended to be a most complex system. More the opposite we want to provide a system oriented on minimalism, privacy and security. But what do those wordings mean exactly? For reference we link first also our three points for a stable system. So those points brought upon our packaging results into clear and clean builds and packaged software with as much dependencies removed and / or reduced as even possible.

Our point here is: Having simple answers for a complex world is never working! Providing a growing number of packages is only working with a growing number of persons in maintaining those. The more packages and components a system is using the more possible attack-vectors are available and the sooner actors with whatever possible reasoning will use those.

The better we are able to reduce and optimize our packaged software, the more understanding, support and enhancments can be possible. This also results within packages looking alike quite old, but being under active maintenance from our side to work further with them. Our goal is never to offer more and more software, but to provide the most optimized packages with minimalism back in mind so our essential goal with technical emancipation can be realized. Users should be always enabled to understand all parts of the system and therefore in full control of every aspect.

XZ Utils,, and its underlying library liblzma, are in summary free, libre projects that implement the lzma compression and decompression. They are included in many systems out of the box, are very popular with developers, and are used extensively therefore.

Almost two years ago, a person under the name of Jia Tan joined the project and started opening requests for various fixes or improvements within the projects. In general nothing is out of the ordinary as this is how things work on the basics of free and libre software. But after building trust and credibility the person Jia Tan began to receive permissions for the code-repository - first, commit permissions and afterwards also rights for release-management.

It seems that as part of the effort to gain these permissions, Jia Tan used an interesting form of social engineering: From the current perspective and status of the on-going analysis that person or even more actors used fake accounts to send myriad feature requests and complaints about problems to pressure the original maintainer, eventually causing the need to add another maintainer to the repository.

After contributing to the code for approximately two years, in 2023 Jia Tan introduced a few changes to XZ that were included as part of release 5.6.0 and also 5.6.1. Among these changes was a sophisticated backdoor to get full control over running SSH daemons. As the before mentioned actors also reported further towards different systems to enforce them to do upgrades for the released versions including the backdoor, more known good intended mechanisms were used damaging the essential trust.

As Hyperbola is not following those approaches and also rejects most time to do newest upgrades there was no risk at that point but nevertheless the dangers within those described approaches show how much pressure is upon free, libre software in the current times. Besides the most important part of free software was now attacked, the level of trust within people using their own time to develop software with good intentions, this also shows how much political this attack is.