Lasse Collin in commit message: “The other maintainer suddenly disappeared.” 😆
#jiatan #xz
https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4
Lasse Collin in commit message: “The other maintainer suddenly disappeared.” 😆
#jiatan #xz
https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4
Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
The abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
There simply is no established or easy way to detect backdoors done the #xz way. We give powers and trust to maintainers because that is the development model.
Anyone suggesting there is an easy fix has not understood the issues at hand.
But we are Open Source which allows everyone to dig, check, read code and investigate.
Upgrade your systems now!
The xz package has been backdoored
https://archlinux.org/news/the-xz-package-has-been-backdoored/