On Sat, Mar 30, 2024 at 09:58:22AM +0100, Ingo Jürgensmann wrote: > > Yes. In that specific case, the original xz maintainer (Lasse Collin) > > was socially-pressed by a likely fake person (Jigar Kumar) to do the > > "right thing" and hand over maintenance. > > https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html > > In his reply to that mail Lasse writes in https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html: > > > It's also good to keep in mind that this is an unpaid hobby project. > > > This reminds me of https://xkcd.com/2347/ - and I think that’s getting a more common threat vector for FLOSS: pick up some random lib that is widely used, insert some malicious code and have fun. Then also imagine stuff that automates builds in other ways like docker containers, Ruby, Rust, pip that pull stuff from the network and installs it without further checks. > > I hope (and am confident) that Debian as a project will react accordingly to prevent this happening again. How? -- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature