Emerald (she/her)Debian security amirite?
oce đThe malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.
âGiven the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,â Freund wrote. âUnfortunately the latter looks like the less likely explanation, given they communicated on various lists about the âfixesââ provided in recent updates. Those updates and fixes can be found here, here, here, and here. arstechnica.com/âŚ/backdoor-found-in-widely-used-lâŚ
That really sucks. This kind of thing can make people and companies lose trust in open source.
sepLike the exact same thing can not happen in a closed source codebase. It probably does daily. Since closed codebases the due dilligence and reviews cost money, and nobody can see the state. They are intentionally neglected.
Open source nor closed source is immune to the 5$ wrench hack
Open source nor closed source is immune to the 5$ wrench hack
Canât decide which one is more relevant - the $5 wrench hack, or any sort of blackmailing.
Exactly, if you are as big a Microsoft, you canât tell 100% if one of your developerâs is actually being paid by a foreign government. Even if you say completely check the commits other devs make, there will still be deadlines when a code review is just âlooks fine, nextâ.