Open Source

31014 readers

777 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

[email protected]

457

XZ Hack - "If this timeline is correct, it’s not the modus operandi of a hobbyist. [...] It wouldn’t be surprising if it was paid for by a state actor." (lcamtuf.substack.com)

submitted 7 months ago by [email protected] to c/[email protected]

71 comments fedilink hide all child comments

Thought this was a good read exploring some how the "how and why" including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 11 points 7 months ago* (last edited 7 months ago) (1 children)

not trustworthy per se but maybe less overworked and inclined to review code more hastily, or less tired and inclined to have the worse judgement that makes such a project more vulnerable to stuff like this.

these people maintain the basis of our entire software infrastructure thanklessly for us in between the full time jobs they need to survive, this has to change.

as for trust in foss projects, the community will often notice bad faith code just like they just did (and very quickly this time, i might add!)

[–] [email protected] 3 points 7 months ago (1 children)

I guess you are using trust in a different way here. Trust in competency can vary with both volunteer and paid workers, everyone makes mistakes though. Trust that someone doesn't do something deliberately malicious is a different matter though.