While everyone is busy analyzing the highly complex technical details of the recently discovered xz-utils compromise that is currently rocking the internet, it is worth looking at the underlying non-technical problems that make such a compromise possible. A very good write-up can be found on the blog of Rob Mensching...
In my discussions with people around this issue I was also mostly troubled by the social problems this attack exposed. I acknowledge the mental health/burnout issues with small projects that have a disparate significance for the whole free software ecosystem, but my focus is elsewhere:
ReplyDeleteThis attack has exposed a more serious problem - the attacker has managed to convince people, who aren't a burnedout hobby developer from a small rural area in Finland, including people from Google, that he is completely legit just because he has a GitHub account that wasn't created yesterday (and in some cases using a GitHub account that was created yesterday).