Emerald (she/her)Debian security amirite?
oce đThe malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.
âGiven the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,â Freund wrote. âUnfortunately the latter looks like the less likely explanation, given they communicated on various lists about the âfixesââ provided in recent updates. Those updates and fixes can be found here, here, here, and here. arstechnica.com/âŚ/backdoor-found-in-widely-used-lâŚ
That really sucks. This kind of thing can make people and companies lose trust in open source.
PainInTheAESCould be a state actor too
Certainly, thatâs why I said organization to be vague.
Sorry I should have been more clear too. I was trying to convey that the dev could have been paid off/threatened or it could be the work of a state actor or team of state actors under an alias. In one case they could care about their reputation but in the other maybe not.