tweaks

jamespfennell · Mar 30, 2024 · 80b3d6f · 80b3d6f
1 parent 818a5b1
commit 80b3d6f
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -18,16 +18,16 @@ This backdoor was the result of a successful ~2 year effort by a malicious actor
 This Go package uses a vendored snapshot of the upstream xz repository from March 2020, 2 years before this attack started.
 Specifically the snapshot was taken at
     [upstream commit `2327a461`](https://git.tukaani.org/?p=xz.git;a=commit;h=2327a461e1afce862c22269b80d3517801103c1b).
+This commit was the release commit for
+    [version 5.2.5 of xz](https://www.mail-archive.com/xz-devel@tukaani.org/msg00359.html).
 This commit is [pinned in this repository using a Git submodule](https://github.com/jamespfennell/xz/tree/main/internal/vendorc).
 The C files themselves were copied from the upstream repository into this repository.
-This snapshot was the release commit for
-    [version 5.2.5 of xz](https://www.mail-archive.com/xz-devel@tukaani.org/msg00359.html).
 
 Thus, this Go package is still safe to use if you assume
     (a) the backdoor from March 2024 is the first successful compromise of upstream and
-    (b) that _this_ repository has not been compromised by me, the maintainer.
+    (b) that _this_ repository has not been compromised by me, the maintainer, jamespfennell@.
 Your security posture will determine whether these assumptions are safe to make.
-Honestly at this point it's probably easier and safer to just use zstd instead of xz.
+Honestly at this point it's probably just easier to use zstd instead of xz.
 
 Finally, we note that the upstream attacker made about ~750 commits over 2 years to upstream
     before being discovered.