Gregory's Serverhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor
I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.
|
13 comments
 @eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html @glyph @eb I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."   @diazona @geofft @glyph @eb thereâs a lot of precedent for hiring maintainers of top-level programs whose brand (for lack of a better term) has reached the level of awareness of a C-level with a hiring budget. Collectively pooling money to help the projects C-levels have never heard of⊠has a much weaker track record. Weâve been trying to tackle it at Tidelift for a while and suffice to say Iâve definitely had a lot of âbut it canât happen to meâ conversations. @luis_in_brief @diazona @glyph @eb Yeah that resonates with my experience. People like GvR get hired (which is great!) but there's a whole dependency stack underneath. Their maintainers often have a strong rĂ©sumĂ© to get hired for a normal big tech job at a company that uses the language/ecosystem/etc. but not necessarily for maintaining the project as their job. Sometimes the job is even "build something similar for an internal non-OSS ecosystem." @geofft @luis_in_brief @diazona @eb there are layers and layers to this. Famous maintainers get hired more than critical maintainers. And maintenance is important but how do you pay for the commons of *new* projects? The tidelift model gets us part of the way there, because these costs need to be aggregated and there needs to be some kind of oversight, but even if they were universally adopted (and that is far from true) there are so many missing pieces  @eb not mentioned, is, AFAIK the story that xz has been proposed for the Linux kernel: https://hachyderm.io/@effigies@mas.to/112180939371795162 @eb aner news, another subtle thing fixed: https://chaos.social/@danderson@hachyderm.io/112185746040563778  @eb the kernel news are not, though, or do I miss sth.? https://chaos.social/@olov@mastodon.world/112183669865847937 https://chaos.social/@rugk/112181829229444954 @rugk yeah Iâve seen that floating around for a while and I just havenât had an opportunity to fully understand the implications of it |
Holy shit.