* On 2024 05 Apr 11:28 -0500, Cindy Sue Causey wrote: > Hi, All.. > > This just hit my emails seconds ago. It's the most info that I've > personally read about the XZ backdoor exploit. I've been following > NextGov as a friendly, plain language resource about government: > > Linux backdoor was a long con, possibly with nation-state support, experts say; > By David DiMolfetta; 2024.04.05 12:59pm EDT To be honest, I think better coverage has been done by the F/OSS community. The gist I got from this article was government types speculating that only other government types could possibly be involved, though there is an allowance for uncertainty. The article mentions them times that "Jia Tan" apparently made commits as being consistent with business hours in China or Europe. Possibly, but if someone were ever to scrutinize my timelines they would probably find it consistent with bouts of insomnia! > Continues to sound like one single perp is destroying the TRUST factor that an > untold number of future programmers must meet. That's heartbreaking. The damage to trust is the biggest part of this story, IMO. A lot of discussion is centering around tools and performing double checks before a distribution accepts an updated or new package which are all probably good steps and which point to the loss of trust. "Jia Tan" was able to work with Lasse Collin on the XZ project to the point of gaining commit privileges and becoming a co-maintainer. This is nothing new and projects have been handed off to new maintainers in a more-or-less similar fashion over the decades. That in itself would have never raised an eyebrow. Committing binary files into a compression utility repository ostensibly for testing the utility and its library weren't suspicions on the surface but now the knowledge that compromising code was being linked into the library from them will now make every binary file suspicious. Certainly, their use is going to be checked and double-checked. All of this reflects the loss of trust. For all of the other qualities why we have chosen Free Software, the trust we have placed in Debian and its upstream projects has been has been the underlying glue that has held this all together. How this is addressed going forward will be interesting. Will upstream project maintainers be required to have GPG keys signed like Debian requires of its developers? Will contributors be subject to the same? Over the years projects have received contributions from persons who wished to remain more or less anonymous. Will this change? Will such contributions become subject to even greater scrutiny by project maintainers? I suspect that at a minimum if a maintainer doesn't clearly understand a patch then it won't get applied, but if the maintainer is clever enough to work in a non-obvious patch that is malicious, all bets are off. It's a mess. - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
Attachment:
signature.asc
Description: PGP signature