Emerald (she/her)Debian security amirite?
oce đThe malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.
âGiven the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,â Freund wrote. âUnfortunately the latter looks like the less likely explanation, given they communicated on various lists about the âfixesââ provided in recent updates. Those updates and fixes can be found here, here, here, and here. arstechnica.com/âŚ/backdoor-found-in-widely-used-lâŚ
That really sucks. This kind of thing can make people and companies lose trust in open source.
PainInTheAESCould be a state actor too
Certainly, thatâs why I said organization to be vague.
Sorry I should have been more clear too. I was trying to convey that the dev could have been paid off/threatened or it could be the work of a state actor or team of state actors under an alias. In one case they could care about their reputation but in the other maybe not.
Like the exact same thing can not happen in a closed source codebase. It probably does daily. Since closed codebases the due dilligence and reviews cost money, and nobody can see the state. They are intentionally neglected.
Open source nor closed source is immune to the 5$ wrench hack
Open source nor closed source is immune to the 5$ wrench hack
Canât decide which one is more relevant - the $5 wrench hack, or any sort of blackmailing.
Exactly, if you are as big a Microsoft, you canât tell 100% if one of your developerâs is actually being paid by a foreign government. Even if you say completely check the commits other devs make, there will still be deadlines when a code review is just âlooks fine, nextâ.
No, its the exact opposite.
Supply chain conpromise is a level of risk to manage no unique to FOSS. Ever hear of sunburst? It resulted in a lot of Microsofts cloud customers getting wreaked all because their supply chain was compromised.
Do people continue to buy into 365 and Azure? Yes. Without care.
Yeah, I agree but I know some companies will have stupid thoughts like âa company employee is less likely to do thatâ or âat least we have an employment contract to back us up legallyâ.
Possibly linuxUntil they are attackedâŚ
Not to mention a lot of the time the âattackâ is from the company themselves. Just look at the Meta malware as an example
danthe Meta malware
What is this?
The VPN that performed a man in the middle attack to get data from other apps
The sony CD rootkit comes to mind
âŚwikipedia.org/âŚ/Sony_BMG_copy_protection_rootkitâŚ
Ugh this reminds me of a guy I worked with, he used to be a trucker but became a software tester (he was also very religious).
Anyway he used to hate on open source software and call it open sores. According to him it was all amateur crap. Ugh I still hate that guy and it has been 15 yearsâŚ