On Fri, Apr 5, 2024, 1:39 PM <to...@tuxteam.de> wrote: > On Fri, Apr 05, 2024 at 12:27:03PM -0400, Cindy Sue Causey wrote: > > Hi, All.. > > > > This just hit my emails seconds ago. It's the most info that I've > > personally read about the XZ backdoor exploit. I've been following > > NextGov as a friendly, plain language resource about government: >
... > Continues to sound like one single perp is destroying the TRUST factor > that an > > untold number of future programmers must meet. That's heartbreaking. > > No, on the contrary. First of all, it is great that it has been > caught /before/ it could cause much harm -- I > .... > So hardly new. What's special about this case is that the contributor > had been working for the project for two years, thus earning trust > with the community -- the most widespread notion seems to be that > they had been planning the thing all along. I see at least another > possible interpretation, that they started as a genuine contributor > and wend bad, be it by bribing, coertion, or even replacement. Secret > services and hackers (where's the difference, anyway?) are like > that. Opportunists. > > Reminds us that trust is, at the root, a human thing, and thus sometimes > fragile. As in Real Life, we need ways to recover. > And to me that's the most interesting thing about this incident too. It's a good counter-example to the open-source "trust"-based model of software development, simply by proving what we all knew: some people can't be trusted but also can't be detected as untrustworthy. And it also shows a "win" of that same development model, many eyes and a persistent mind who didn't like things that didn't make sense. But what if next time the back-doored software _does_ build without error? Cheers > > [0] https://lwn.net/Articles/773121/ > [1] > https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks > [2] https://arxiv.org/abs/2005.09535 > > -- > t >