Reading about this xz backdoor story from the outside as a person who is still learning much about the technical ins and outs, but as a psychologist it is just overwhelming to imagine a maintainer in this position and all of the feelings of pressure and skill based identity and social isolation that must be involved.
Imho psychology has a duty to show up for technology practitioners and work for them just like we see and work for the well-being of emergency workers, healthcare providers.
@grimalkina the part that stood out to me was that the decision from the poor maintainer to hand over the maintainership to the malicious actor was… expedited by a slew of psyops abuse from various sockpuppet accounts that were *absolutely indistinguishable* from the demands that OSS maintainers of popular packets get on a routine basis.
e.g.: https://www.mail-archive.com/xz-devel@tukaani.org/msg00568.html
@grimalkina @analogist It's so horrible. It's no wonder the maintainer reported struggling with mental health issues for years. Who wouldn't?
To attack someone for years and erode their mental health and then slowly slip into their source code and plant sleeping exploits deep in the software supply chain is unreal. But it appears to legitimately be happening, and repeatedly.
I truly agree here. Psychological protection needs to happen
Yeah. I've been trying to think about some practical things we technologists can do for each other, and made some suggestions in https://www.harihareswara.net/posts/2023/user-support-equanimity-potential-cross-project-tools-practices-open-source/ , and hope this incident can spur some more creative and substantial effort. Then again, I'm thinking about the past 10 years, post-Heartbleed, and that doesn't feed optimism.
Cat Hicks
James Wu
Hazel Weakly
Sumana Harihareswara
Ringo De Smet