Joe Cooper πΊπ¦ πThe abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
James@swelljoe So these are potential targets for zero day or places where zero days might be inserted? I could see the bitchy/snarky comments being a script to get someone to say screw of you do it.
@James in this case "Jia Tan" who volunteered to "help" around the same time as all the complaining was happening made a bunch of mostly legitimate commits, but also eventually built in a backdoor. It was quite well-hidden, and passed through most of the checks that might catch sloppier or less well-planned attacks (the `ifunc` patch was clearly to provide a plausible excuse for disabling sanitizers). They spent almost two years taking more control of the project and inserting the backdoor.
LR@lritter @James that's not NSA tactics. I'm not saying the US government doesn't spy or compromise security, just that they have so much more capability and are limited by law in how directly they can be involved in stuff like this. This feels more like Russia (or one of their eastern European friends), China, or North Korea. And it doesn't have to be a state...it seems likely someone was paid for it, since it was so long in the making, but we can't even know that based on what's public so far.