Tim Kelloggi don’t understand how people see the xz incident and conclude that open source is insecure. That level of social engineering could easily have worked on a company as well, but it was detected *because* it was open source. All other mechanisms failed, and it was just some random guy poking around that discovered it. That kind of scrutiny doesn’t happen on closed source systems
Noel Miller 
@kellogh This makes me conclude that we need more funding from companies that benefit from open source code. The fact that xz is only maintained by 1 or 2 developers and is used in as important utilities as OpenSSH is troubling. It doesn't make me worry about open source, it just shows weaknesses in the infrastructure we depend on.
Chris Cunningham@dogphilosopher @kellogh what it shows is that it's turtles all the way down though. ten years ago the worry was about openssh and tzdb - now it's anything that even gets to touch those, which in this case was a temporary optimisation through two layers of indirection in the init system. people blame systemd for this as if the previous world where _everything_ was unreadable shell scripts being run suid root was somehow less vulnerable