> A bit random, but has there been speculation on why this seemed to only target rpm/deb packaging?
I don't think much speculation is needed. RPM and deb catches every Enterprise Linux distribution, to the best of my knowledge.
rpm catches Red Hat and all derivatives like CentOS, Alma Linux etc, as well as SuSE, Amazon Linux, and even Microsoft's Mariner Linux (now renamed Azure Linux).
deb catches Debian and Ubuntu.
That's a huge global install base just through those two targets.
I don't think it was specific effort to exclude others, they took efforts to ensure it happened at packaging time, to reduce chances of detection. So eg other xz devs didn't notice it when compiling it, and so on.
> Obviously it would help avoiding detection since the backdoor has the side effect of slowing down things.
My understanding was that this was the result of a bug? But I understand that part less than any of it, so I well could be wrong.
>And to me it's less that they don't care, more that their script probably only works or only has been tested on the ones using .rpm/.deb.
Now that, strikes me as more likely. Maybe they wanted to be relatively sure that they wouldn't be detected and needed to select a test matrix to test against (SELinux/landlock config across rpm/deb distros, versus across every distro.)
I guess what I'm getting at is... did they have an intended set of targets and knew they were running deb/rpm, on top of any other factors?
I don't think much speculation is needed. RPM and deb catches every Enterprise Linux distribution, to the best of my knowledge.
rpm catches Red Hat and all derivatives like CentOS, Alma Linux etc, as well as SuSE, Amazon Linux, and even Microsoft's Mariner Linux (now renamed Azure Linux).
deb catches Debian and Ubuntu.
That's a huge global install base just through those two targets.