The whole "long con" part of the xz-utils saga is what's crazy. Sleeper agent YEARS in the making. And there's a person out there. WHO ARE THEY!?! Somewhere, RIGHT NOW, sitting at Chipotle thinking "I would have gotten away with it if it wasn't for you meddling kids!"
I really hope governments and companies are doing all they can to track down the most likely organisation/country behind this. It’s also important for the OSS community to look over what the entry barrier for contributing is. Perhaps at least an online meeting. Perhaps reference. Not because of pressure from society but out of self preservation. I wouldn’t want to be part of an OSS project that had vulnerabilities like this. However it’s important to not blame the maintainer for xz because this is a very new concept that I don’t think anyone has seen before where some org or person plays a long con game of social engineering. Anyone would fall for that most likely. With this new knowledge it’s important to be more suspicious.
@shanselman My funpost response for the XZ thing is that it must have been a hired shop that is WITCH tier for blackhat ops, that's why it took so long to even get to prod before rejection.
@shanselman It's incredible. Two years. It makes you wonder how many more such long-cons are underway? Or same group of attackers with numerous sybil accounts.
@shanselman Think bigger. It's not one person and not necessarily in the USA. Although I would not put this beyond the US government.
@shanselman That's my main problem with open source. It depends and too many players. And these players create too many layers of abstractions. And we trust these abstractions because we have no way to check them all. It's an ever changing system of libraries supported by unknown people.
@shanselman I'm far more impressed by the guy who detected it than the guy who made it ngl... The level of dedication in perf analysis, this is the "rockstar" senior dev you want in your company.
@shanselman Whenever there's incentive and usually a state actor involved. open.spotify.com/show/2k2xSiE0Y…