Jerry 🦙💝🦙Mar 30, 2024

I can’t tell you how angry this makes me feel for this maintainer.

I don’t know who Jigar Kumar is, or what the motivation was behind the emails that the author is referencing, but I can tell you if I was trying to get a bad actor in as a trusted developer, this is how I would approach it.

Good post.

https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

A Microcosm of the interactions in Open Source projects | RobMensching.com

Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.

Show threadBrian Campbell
@jerry I'm guessing just another sockpuppet of the original attacker. This kind of pressure from several sockpuppets seems to be part of the MO of the attacker; see the Debian bug in which they were pushing hard for the update to 5.6.1 that fixed the valgrind warning caused by the exploit, with several users who all appear to be sockpuppets: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
#1067708 - xz-utils: New upstream version available - Debian Bug report logs

Mar 30, 2024 at 6:38pmWeb