WRT the #xz thing: It seems like the original maintainer of XZ was struggling to find motivation, someone else stepped up and started contributing and collaborating, that someone else got commit rights. That someone else then added a backdoor after a long time of doing seemingly good maintainer work.
XZ is far from the only #opensource / #foss project which this attack could work against. I personally have projects where I'd hand over maintainership to an outsider who did good work for months.
mort /
npub169…clmh6
2024-03-29 22:29:51
Author Public Key
npub169scvwz5u6g484knr3md8r9hfgmnelm4fe6p868ns8e0556ku6ps2clmh6Published at
2024-03-29 22:29:51Event JSON
{
"id": "e572459a24b82fa53d7f4631e920dd6a4001fc0cc823d383e8c001bb1b9ec630",
"pubkey": "d161863854e69153d6d31c76d38cb74a373cff754e7413e8f381f2fa5356e683",
"created_at": 1711751391,
"kind": 1,
"tags": [
[
"t",
"xz"
],
[
"t",
"opensource"
],
[
"t",
"foss"
],
[
"proxy",
"https://fosstodon.org/users/mort/statuses/112181339225271274",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fosstodon.org/users/mort/statuses/112181339225271274",
"pink.momostr"
]
],
"content": "WRT the #xz thing: It seems like the original maintainer of XZ was struggling to find motivation, someone else stepped up and started contributing and collaborating, that someone else got commit rights. That someone else then added a backdoor after a long time of doing seemingly good maintainer work.\n\nXZ is far from the only #opensource / #foss project which this attack could work against. I personally have projects where I'd hand over maintainership to an outsider who did good work for months.",
"sig": "e33a13f58d68b04a14f6d9981b94a12625af03779f3d380c97ffdac5dc6489e7321f6870a58c9d3672175d2dc161eeb3e51155a2e9eff30eb4f2b221854d6a4f"
}