Everything I know about the xz backdoor

last updated: Mar 30, 2024

Yesterday I tooted:

I’m amazed at how few problems actually come from trusting every single person in the software distribution chain to not act maliciously

Which, naturally, meant that the worst malicious act in open source software that I know of would happen a few hours later.


A github account named JiaT75 apparently spent a long time gaining mantainership of the xz project so that they could insert a malicious backdoor, which was quite clever and only discovered by accident.

I still stand by my statement - this incident is so shocking because it's so rare - but it shouldn't be taken to mean that we don't need to think about and protect ourselves from incidents such as this.

↑ up