on the xz backdoor

· erock's blog

exploring foss through an exploit
#xz #foss

Additional convo: https://youtu.be/5CKeQvyX3pY

https://openwall.com/lists/oss-security/2024/03/29/4

After reading about this exploit and some of the chatter relating to it, I'm not entirely sure what to think.

On one hand, it seems like the bad actor had little resistance merging nefarious code in a utility that has embedded itself virtually everywhere I care about (e.g. linux ecosystem). But my other hand is telling me we cannot expect to prevent this class of supply chain attack from happening again and again.

We demand software be free and open but when something goes wrong with that free volunteer labor system we cannot reconcile with why this keeps happening.

Compounding things in my mind are the recent community discussions surrounding the Redis adoption of a dual source-available licensing.

I don't know, this is starting to feel like a cultural problem within foss. We want foundational and critical systems to be free and open, while also having high standards for security, stability, and performance -- among many others.

We are extracting labor from the passionate and resolute for financial gain. Trillions of dollars in economic growth rests on volunteer labor.

We need a business model that doesn't trigger a splintering of forks and along with it, community endorsement. I do wonder, have we already seen that business model? Does our collective perspective need to shift?

Have a comment? Start a discussion by sending an email to my public inbox.