Gordon MessmerMar 30, 2024

The least surprising thing about the xz vulnerability is that it happened to a widely used project after a maintainer hand-off. We've seen exactly the same thing repeatedly in npm, pypi, browser extensions, and other code marketplaces.

Humans don't last forever. Hand-off is inevitable. And I've long held that because that is true, the size of the group of maintainers is an important security characteristic.

Small projects create big risks.

Sustainability is a security concern.

Show threadchebra
@gordonmessmer Maintainer hand-off shouldn't be a thing. A new wannabe maintainer should just create a fork and distributions can choose who they trust. Also changes from the fork can be merged back if they are good. Handing the maintainer permissions to someone new also hands them the complete distribution chain, the trust, the current network. That's too much, especially if nobody even saw the new guys face, just a username, email address...
Mar 30, 2024 at 7:44amWeb
Show threadchebraMar 30, 2024
@gordonmessmer We shouldn't be treating hobby projects as professional service providers. Again and again we have small projects with single maintainers used in critical context all over the world. We should normalize forking instead of change of maintainer. Your critical infrastructure wants to use my hobby project? Cool, fork it then and do all your critical audits on it, then I may (or may not) pull those commits into my hobby project. Or don't depend on my hobby project. That's open-source.