this post was submitted on 06 Sep 2025
62 points (98.4% liked)
Programming
22734 readers
365 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The amount of time needed to do this to an opensource project compared to the time needed to do this to closed source software makes this article almost completely meaningless, especially since it's a recent article and not when this news was still news. It's clickbait and useless.
I feel like this is missing a big point of the article.
The vulnerability that the xz backdoor attempt revealed was the developers. The elephant in the room is that for someone capable of writing and maintaining a program so important to modern technical infrastructure, we're making sure to hang them out to dry. When they burn out because their 'hobby' becomes too emotionally draining (either because of a campaign to wear them down intentionally or fully naturally) someone will be waiting to take control. Who can you trust? Here, we see someone attempted (and nearly succeeded) a multi-year effort to establish themselves as a trusted member of the development community who was faking it all along. With the advent of LLMs, it's going to be even harder to tell if someone is trustworthy, or just a long-running LLM deception campaign.
Maybe, we should treat the people we rely on for these tools a little better for how much they contribute to modern tech infrastructure?
And I'll point out that's less aimed at the individuals who use tech, and more at the multi-billion-dollar multi-national tech companies that make money hand over fist using the work others donate.
Since paranoia seems to be a virtue in this case, here i go :
While your username is essentially XZ, you are advocating for the community to dismissing an analysis addressing the root causes that made it possible for a backdoor in the xz compression utility to be made.
Hummm ... how did you come to choose that username ? ... and were there any other articles written previously identifying theses social and funding problems in software infrastructure ?
Probably i am completely wrong since i know close to nothing about this subject.
Thanks for your time and attention.
This talks about one issue. You seem to be confident that this one case is representative of the whole FOSS space? I am not.
Can you elaborate how it would be much easier in closed source software? Because as far as I can see, it's different. In most cases, you need an actual person instead of an online persona, pass interview and contracting, and then you're still "the new guy" or Junior in the company or project. It's not like closed off from public eyes means anyone can do anything without any eyes.