On Fri, Apr 05, 2024 at 12:27:03PM -0400, Cindy Sue Causey wrote:
> Hi, All..
>
> This just hit my emails seconds ago. It's the most info that I've
> personally read about the XZ backdoor exploit. I've been following
> NextGov as a friendly, plain language resource about government:
...
> Continues to sound like one single perp is destroying the TRUST factor that an
> untold number of future programmers must meet. That's heartbreaking.
No, on the contrary. First of all, it is great that it has been
caught /before/ it could cause much harm -- I
....
So hardly new. What's special about this case is that the contributor
had been working for the project for two years, thus earning trust
with the community -- the most widespread notion seems to be that
they had been planning the thing all along. I see at least another
possible interpretation, that they started as a genuine contributor
and wend bad, be it by bribing, coertion, or even replacement. Secret
services and hackers (where's the difference, anyway?) are like
that. Opportunists.
Reminds us that trust is, at the root, a human thing, and thus sometimes
fragile. As in Real Life, we need ways to recover.
And to me that's the most interesting thing about this incident too. It's a good counter-example to the open-source "trust"-based model of software development, simply by proving what we all knew: some people can't be trusted but also can't be detected as untrustworthy. And it also shows a "win" of that same development model, many eyes and a persistent mind who didn't like things that didn't make sense.
But what if next time the back-doored software _does_ build without error?