- cross-posted to:
- cybersecurity@sh.itjust.works
- cross-posted to:
- cybersecurity@sh.itjust.works
They haven’t particularly made a comment on the situation so much as acknowledged it’s happening. They seem to be going with the story that they had nothing to do with it and this is news to them. Hope to hear more from them soon so we can find out more about the situation, how and why this happened, etc.
(The sceptical tone isn’t because of disbelief of Collin, it’s because we don’t know enough about the situation to be able to say Collin is or isn’t telling the truth here.)
You must log in or register to comment.
Don’t be too hard on Collin. Looking back on the threads it’s fairly clear he’s been the victim of a social engineering attack on an overworked maintainer. People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development. The off-list contact by Jia must have seemed like a helpful enthusiastic solution to a burnt out developer.
People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development.
Very likely that was part of the attack as well.
Definitely sounds like it. This happened to me in a real company as well. It was butal.
Sorry to hear your situation. I’ve heard a similar story from a friend, where cronies bully one “colleague” after another to push that poor person to the edge. These morons climb the company’s career ladder in that way, hacking the HR evaluation. It’s truly disgusting.
Thanks for understanding. I didnt imagine a nice comment like this. :)
In fact it was my company and an employee who I trusted worked behind my back to take over. When that didnt work he took off with company assets.
I agree with that assessment, I’m not accusing Collin of anything. If it is what it seems to be then I feel very bad for him. Just being cautious with wording until things are more settled/until we know more is all.
Just a reminder - I’m sure we have all seen it: https://xkcd.com/2347/
I hadn’t seen that particular one before, so thanks! I guess I was one of the lucky 10,000.
Thanks for commenting. I’m going to keep posting these.
The lucky 10000 is such a wonderful concept.
I think if you read through this and take it at face value, there is a pretty clear picture of what happened: https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
Can someone give me a TLDR please
This is as much tldr I could find. https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Its best you actually find an info dump on the situation as it’s not really something that can be tldr’d
The endgame is going to be those who rely on this software paying to maintain it.
Sorry but if the maintainer says it didnt know? Sounds fishy. Or just a bad maintainer.
You realise that this comment is exactly part of the problem of why this happened, right? 🤦🏻♀️
Do you think being maintainer makes you some kind of all knowing being? That’s not how that works. You write code and review code of others.
If there are multiple maintainers, you may obviously not even notice what another maintainer is doing; then you wouldn’t need multiple maintainers with write access if you could handle it all by yourself.
If I were the co-maintainer of a project I wouldn’t suspect that the person who had been actively contributing for over 2 years had injected malicious code into a binary file to distribute in the tarballs. “Jia Tan” had already gained Collin’s trust by then
I suggest you read a little in how the backdoor was implemented. It wasn’t as obvious as you think. I personally don’t think the owner had anything to do with it.
Who’s paying him? Seriously:
- If nobody is, then we got our value’s worth.
- If someone is, then we should look at who, how much, and why.
