984
submitted 7 months ago by Emerald@lemmy.world to c/linuxmemes@lemmy.world
you are viewing a single comment's thread
view the rest of the comments
[-] oce@jlai.lu 50 points 7 months ago* (last edited 7 months ago)

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

That really sucks. This kind of thing can make people and companies lose trust in open source. I wonder if we will learn the reason behind that. I would guess the developer was paid a lot of money by some organization to risk ruining his reputation like that.

[-] Wooki@lemmy.world 48 points 7 months ago* (last edited 7 months ago)

No, its the exact opposite.

Supply chain conpromise is a level of risk to manage not unique to FOSS. Ever heard of sunburst? It resulted in a lot of Microsofts cloud customers getting wreaked all because their supply chain was compromised.

Do people continue to buy into 365 and Azure? Yes. Without care.

So will this hurt open source projects? Not at all, in fact it will benefit them, highlight just why source code SHOULD be open source and visible to all! We would have had very little to no visibility and capability to monitor closed source. Let alone learn, improve and harden how projects can protect against this increasingly more common attack.

[-] oce@jlai.lu 15 points 7 months ago

Yeah, I agree but I know some companies will have stupid thoughts like "a company employee is less likely to do that" or "at least we have an employment contract to back us up legally".

[-] possiblylinux127@lemmy.zip 13 points 7 months ago* (last edited 7 months ago)

Until they are attacked...

Not to mention a lot of the time the "attack" is from the company themselves. Just look at the Meta malware as an example

[-] dan@upvote.au 5 points 7 months ago

the Meta malware

What is this?

[-] possiblylinux127@lemmy.zip 4 points 7 months ago

The VPN that performed a man in the middle attack to get data from other apps

[-] bier@feddit.nl 6 points 7 months ago

Ugh this reminds me of a guy I worked with, he used to be a trucker but became a software tester (he was also very religious).

Anyway he used to hate on open source software and call it open sores. According to him it was all amateur crap. Ugh I still hate that guy and it has been 15 years....

load more comments (12 replies)
this post was submitted on 30 Mar 2024
984 points (98.4% liked)

linuxmemes

21280 readers
1143 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 1 year ago
    MODERATORS