Cat HicksMar 30, 2024

Reading about this xz backdoor story from the outside as a person who is still learning much about the technical ins and outs, but as a psychologist it is just overwhelming to imagine a maintainer in this position and all of the feelings of pressure and skill based identity and social isolation that must be involved.

Imho psychology has a duty to show up for technology practitioners and work for them just like we see and work for the well-being of emergency workers, healthcare providers.

Show threadSevorisMar 30, 2024

@grimalkina Worse, what‘s apparently going down in the community already again.

The original maintainer was apparently on a vacation and got this all dropped on them after years of basically thankless work… and then a social engineering attack including sockpuppets making pressure to have more maintainers on the project.

It‘s a sad, damning state of affairs about the psychological health of OSS maintenance.

From: @mmeier
https://social.mei-home.net/@mmeier/112185416457113560

Michael (@[email protected])

@[email protected] Yeah. I just saw somebody complaining about the fact that the original maintainer, being on vacation at the moment and still having made a commit or two, hasn't set up commit signing yet, and that that should really be the first thing on said maintainer's mind right now. That really switched me from yesterday's "Hey, I think this was overall handled pretty nicely" straight back to pessimism.

Meier's Mastodon
Show threadMr. CompletelyMar 30, 2024
@Sevoris @grimalkina @mmeier exactly - seems like this was primarily a psychological exploit designed to target a vulnerable individual - I feel terrible for them
Show threadSevorisMar 30, 2024

@mrcompletely @grimalkina @mmeier worse, to me it seems like there were compounding failures here.

The attacker tried to get his malicious code past an OSS fuzzer system by argueing with a 2015 bug that hadn‘t been resolved in 2023…

But is it surprising this "small fish" doesn‘t get fished when people are under pressure and underpaid? Where do you take the psychological security to treat small issues significantly?

From: @Sevoris
https://mastodon.social/@Sevoris/112183791413962910

Show threadSevorisMar 30, 2024

@mrcompletely @grimalkina @mmeier nothing in the exploit chain to me screams "that one big fish". It was a dozen tiny failures that almost enabled this.

Safety engineers would probably have a field day argueing that this is precisely how systems fail, ultimately- tiny individual problems that "lign up the holes".

But where do you take the psychological health and energy from to address all of that? There‘s so many tiny issues everywhere…

Show threadCat HicksMar 30, 2024
@Sevoris @mrcompletely @mmeier "how can we help people recover and heal once they have been at the center of something like this" feels like a very important and immediate question and yet so often left out
Show threadJeremy Kahn

@grimalkina @Sevoris @mrcompletely @mmeier

Trauma-informed maintainer support ❤️❤️❤️

Mar 30, 2024 at 7:11pmWeb