Kevin BeaumontMar 31, 2024

I don’t agree with all the doom saying about XZ incident.

You just know orgs are going to return after Easter and panic about it unnecessarily (they’re likely still on Redhat 6). It doesn’t impact them as it was caught super early.

Regarding the narrative that there’s nothing that can be done about these type of attacks - I also don’t agree. There’s already a change in the pipeline to systemd which would have prevented it.

The thing needs rational, calm reaction and response.

Show threadDavid Penington
@GossiTheDog What can be done to detect other open source contributor subversion attacks that did not get detected by the combined luck & very thorough investigation that found this one?
Apr 1, 2024 at 2:37amWeb
Show threadGunChleocApr 1, 2024
@DavidPenington @GossiTheDog Maybe dig into that fuzzer project that Jia Tan social engineered to get checks switched off there. Do they have enough contributors to audit such changes better?